Sophos issues

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Tue Jan 28 21:27:12 GMT 2003


I upgraded to 3.66 and asked a user to send me the test file that caused
problems last week.

Turns out the problem is still there!  He sent me a file with an XML
extension (no trace of this one in filename.rules.conf) and put his own
email address in cc:.

I received the file OK and have been able to load it in Mozilla.

He received an error message with the subject changed to include {VIRUS}
and the following error message:
Could not check winmail.dat (corrupt)

Strange thing: his message had no winmail.dat in it (there was none in
the copy I received), just the S812.CHOIXET.XML file.

He also received a second message saying that his PC was probably
infected and should be checked...  again, the message included:
Could not check winmail.dat (corrupt)

Any ideas what is going on?


Le mar 28/01/2003 à 04:52, Julian Field a écrit :
> Can I suggest you upgrade to the latest 3.66 release of Sophos.
> I have been sent a few files which 3.62 and other releases complains are
> corrupt.
> 3.66 happily scans them.
> At 17:59 27/01/2003, you wrote:
> >--On Monday, January 27, 2003 4:34 PM +0000 Julian Field
> ><mailscanner at ECS.SOTON.AC.UK> wrote:
> >
> >>>   The files are already
> >>>"corrupt" by the time that Sophos sees it (basically, it can't see both
> >>>the start of the file and the end of the file, is what I was told).  I
> >>>asked about the RAR archives, and she said that Sophos currently can't
> >>>scan RAR version 3 archives, but that will be available in the next
> >>>release.  She suggested that I quarantine messages and release the files
> >>>that get labeled corrupted, or in the case of the RAR files, maybe put
> >>>the file extension on a whitelist, basically.
> >>
> >>When it finds a file is corrupt, MailScanner removes it, right?
> >
> >Actually no... It looks like the attachments come through okay, though,
> >the files are indeed corrupted.  I am still trying to get the original
> >fines from the authors to see if they started that way or not... So, I
> >can't know for sure what happens, but the attachment doesn't appear to be
> >removed, just a warning message inserted into the body of the message
> >indicating that the file is corrupted.
> >
> >>Is it happening often enough that you could archive all mail for a little
> >>while until it happens? If so, we can actually get a test case together
> >>to prove exactly what is happening to the message. Until I can get my
> >>hands on a test case, it is very difficult to work out what is happening.
> >
> >I don't think so... We get several hundred emails going through our system
> >a minute... We have enough problems trying to stay afloat with CPU load and
> >(especially) disk I/O.  When we turned on quarantining for about a 10 hour
> >time period, we had about 1.5GB of disk space consumed... so, it makes me
> >a bit afraid to do anything on our production server like that :-)
> >
> >>Are they suggesting that the file put into the quarantine is actually
> >>okay, but the file being scanned is not? That would be a neat trick...
> >
> >That is a good point... My concern was with regards of a message coming
> >in that was fine and somehow MailScanner or Sophos was corrupting the
> >message and that was what got put into the attachment... but that seems
> >a bit less likely at this point, and I feel like the file is starting out
> >corrupt.  If I had to guess right now, Sophos is expecting documents to
> >be exactly compliant with those document standard formats (i.e. DOC files
> >must follow Microsoft Word Document format, PDF files follow Adobe PDF
> >file formats etc).  There doesn't appear to be much room in the way of
> >flexibility.  I have seen other programs, like Star Office, write their
> >documents that are mostly compliant, but not quite, and maybe those would
> >be flagged by Sophos as being corrupted.  Anyways, those are guesses.
> >
> >>>What would be really helpful, at this point, is a way for me to set an
> >>>option to allow corrupted files to pass through MailScanner without being
> >>>flagged as viruses and without being touched.  The same goes for scanning
> >>>of external MIME attachments (which is another thread).  There should be
> >>>an option to not flag those as viruses and to allow the messages to pass
> >>>through untouched.  Both of these issues are generated support calls for
> >>>us right now.
> >>
> >>The "external bodies" switch will be in the next version. I'll have to
> >>take a look at how easy it would be to add a switch for the other bit.
> >
> >Great!  I will let the users know about this (the external bodies thing).
> >
> >>How come this is only happening with Sophos? No-one else is reporting any
> >>problems, only the people using Sophos.
> >
> >That is a good point... If I knew our system could support another virus
> >scanner, such as ClamV or something like that, I would put it on.... as is,
> >we are now running without spam checking just so we can get some benefit
> >of MailScanner doing virus checking on messages... when we start to fall
> >behind in the mail queues, even that gets turned off.
> >
> >On average, we get several hundred messages a minute.  When we get spammed
> >(usually by our own university departments), we get way more than that :)
> >
> >Scott
> >--
> >+-----------------------------------------------------------------------+
> >      Scott W. Adkins      
> >   UNIX Systems Engineer                  mailto:adkinss at
> >        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
> >+-----------------------------------------------------------------------+
> >     PGP Public Key available at
> ></x-flowed>
> --
> Julian Field
> MailScanner thanks transtec Computers for their support
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list