SV: Sophos issues
Anders Andersson, IT
andersan at LTKALMAR.SE
Wed Jan 29 09:42:25 GMT 2003
> -----Ursprungligt meddelande-----
> Från: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Skickat: den 28 januari 2003 20:04
> Till: MAILSCANNER at JISCMAIL.AC.UK
> Ämne: Re: Sophos issues
>
>
> One more thing, is this just being experienced by Sophos users?
> How about all you F-Prot users out there?
Running F-Prot and no problems at all
/Anders
>
> At 18:49 28/01/2003, you wrote:
> >But I still haven't been sent any examples of a file in its
> >corrupt+noncorrupt state.
> >The curious thing is that the MIME parsing & regenerating code hasn't
> >changed since I first wrote V4, and that code is
> functionally the same as
> >that in V3.
> >
> >So why has this only just become a problem? My MIME code
> hasn't changed.
> >
> >At 16:45 28/01/2003, you wrote:
> >>My initial testing with the new release is that it acts the
> same as the
> >>old release... But part of the problem is that the only
> files I currently
> >>have for testing are files that look like they are already
> corrupted. So,
> >>I don't know if the new version really fixes it or not. It
> is definitely
> >>the case that corrupted PDF and XLS files come out on the
> other end as
> >>being flagged {Virus?} and (corrupt), which is still not desired.
> >>
> >>Scott
> >>
> >>--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins
> >><adkinss at OHIO.EDU> wrote:
> >>
> >>>Ah, okay... I will give that a try... I will let you know
> what happens...
> >>>
> >>>Scott
> >>>
> >>>--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field
> >>><mailscanner at ECS.SOTON.AC.UK> wrote:
> >>>
> >>>>Can I suggest you upgrade to the latest 3.66 release of Sophos.
> >>>>I have been sent a few files which 3.62 and other
> releases complains are
> >>>>corrupt.
> >>>>3.66 happily scans them.
> >>>>
> >>>>At 17:59 27/01/2003, you wrote:
> >>>>>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field
> >>>>><mailscanner at ECS.SOTON.AC.UK> wrote:
> >>>>>
> >>>>>>> The files are already
> >>>>>>>"corrupt" by the time that Sophos sees it (basically,
> it can't see
> >>>>>>>both the start of the file and the end of the file, is
> what I was
> >>>>>>>told). I asked about the RAR archives, and she said
> that Sophos
> >>>>>>>currently can't scan RAR version 3 archives, but that will be
> >>>>>>>available in the next release. She suggested that I quarantine
> >>>>>>>messages and release the files that get labeled
> corrupted, or in the
> >>>>>>>case of the RAR files, maybe put the file extension on
> a whitelist,
> >>>>>>>basically.
> >>>>>>
> >>>>>>When it finds a file is corrupt, MailScanner removes it, right?
> >>>>>
> >>>>>Actually no... It looks like the attachments come
> through okay, though,
> >>>>>the files are indeed corrupted. I am still trying to
> get the original
> >>>>>fines from the authors to see if they started that way
> or not... So, I
> >>>>>can't know for sure what happens, but the attachment
> doesn't appear to
> >>>>>be removed, just a warning message inserted into the
> body of the message
> >>>>>indicating that the file is corrupted.
> >>>>>
> >>>>>>Is it happening often enough that you could archive all
> mail for a
> >>>>>>little while until it happens? If so, we can actually
> get a test case
> >>>>>>together to prove exactly what is happening to the
> message. Until I can
> >>>>>>get my hands on a test case, it is very difficult to
> work out what is
> >>>>>>happening.
> >>>>>
> >>>>>I don't think so... We get several hundred emails going
> through our
> >>>>>system a minute... We have enough problems trying to
> stay afloat with
> >>>>>CPU load and (especially) disk I/O. When we turned on
> quarantining for
> >>>>>about a 10 hour time period, we had about 1.5GB of disk space
> >>>>>consumed... so, it makes me a bit afraid to do anything on our
> >>>>>production server like that :-)
> >>>>>
> >>>>>>Are they suggesting that the file put into the
> quarantine is actually
> >>>>>>okay, but the file being scanned is not? That would be
> a neat trick...
> >>>>>
> >>>>>That is a good point... My concern was with regards of a
> message coming
> >>>>>in that was fine and somehow MailScanner or Sophos was
> corrupting the
> >>>>>message and that was what got put into the attachment...
> but that seems
> >>>>>a bit less likely at this point, and I feel like the
> file is starting
> >>>>>out corrupt. If I had to guess right now, Sophos is expecting
> >>>>>documents to be exactly compliant with those document
> standard formats
> >>>>>(i.e. DOC files must follow Microsoft Word Document
> format, PDF files
> >>>>>follow Adobe PDF file formats etc). There doesn't
> appear to be much
> >>>>>room in the way of flexibility. I have seen other
> programs, like Star
> >>>>>Office, write their documents that are mostly compliant,
> but not quite,
> >>>>>and maybe those would be flagged by Sophos as being corrupted.
> >>>>>Anyways, those are guesses.
> >>>>>
> >>>>>>>What would be really helpful, at this point, is a way
> for me to set an
> >>>>>>>option to allow corrupted files to pass through
> MailScanner without
> >>>>>>>being flagged as viruses and without being touched.
> The same goes for
> >>>>>>>scanning of external MIME attachments (which is
> another thread).
> >>>>>>>There should be an option to not flag those as viruses
> and to allow
> >>>>>>>the messages to pass through untouched. Both of these
> issues are
> >>>>>>>generated support calls for us right now.
> >>>>>>
> >>>>>>The "external bodies" switch will be in the next
> version. I'll have to
> >>>>>>take a look at how easy it would be to add a switch for
> the other bit.
> >>>>>
> >>>>>Great! I will let the users know about this (the external bodies
> >>>>>thing).
> >>>>>
> >>>>>>How come this is only happening with Sophos? No-one
> else is reporting
> >>>>>>any problems, only the people using Sophos.
> >>>>>
> >>>>>That is a good point... If I knew our system could
> support another virus
> >>>>>scanner, such as ClamV or something like that, I would
> put it on.... as
> >>>>>is, we are now running without spam checking just so we
> can get some
> >>>>>benefit of MailScanner doing virus checking on
> messages... when we start
> >>>>>to fall behind in the mail queues, even that gets turned off.
> >>>>>
> >>>>>On average, we get several hundred messages a minute.
> When we get
> >>>>>spammed (usually by our own university departments), we
> get way more
> >>>>>than that :)
> >>>>>
> >>>>>Scott
> >>>>>--
> >>>>>+--------------------------------------------------------
> --------------
> >>>>>-+ Scott W. Adkins
> http://www.cns.ohiou.edu/~sadkins/
> >>>>> UNIX Systems Engineer
> mailto:adkinss at ohio.edu ICQ
> >>>>> 7626282 Work (740)593-9478 Fax
> (740)593-1944
> >>>>>+--------------------------------------------------------
> --------------
> >>>>>-+ PGP Public Key available at
> >>>>>http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
> >>>>
> >>>>--
> >>>>Julian Field
> >>>>www.MailScanner.info
> >>>>MailScanner thanks transtec Computers for their support
> >>>
> >>>
> >>>--
> >>>
> +-------------------------------------------------------------
> ----------+
> >>> Scott W. Adkins
> http://www.cns.ohiou.edu/~sadkins/
> >>> UNIX Systems Engineer mailto:adkinss at ohio.edu
> >>> ICQ 7626282 Work (740)593-9478
> Fax (740)593-1944
> >>>
> +-------------------------------------------------------------
> ----------+
> >>> PGP Public Key available at
> http://www.cns.ohiou.edu/~sadkins/pgp/
> >>
> >>
> >>--
> >>+-----------------------------------------------------------
> ------------+
> >> Scott W. Adkins
> http://www.cns.ohiou.edu/~sadkins/
> >> UNIX Systems Engineer mailto:adkinss at ohio.edu
> >> ICQ 7626282 Work (740)593-9478 Fax
> (740)593-1944
> >>+-----------------------------------------------------------
> ------------+
> >> PGP Public Key available at
> >>http://www.cns.ohiou.edu/~sadkins/pgp/</x-flowed>
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
More information about the MailScanner
mailing list