Whoa!! "Virus Scan failed" What?

Jeff A. Earickson jaearick at COLBY.EDU
Fri Sep 12 15:40:19 IST 2003


Julian,

   I suppose you could have a configurable switch that controls what to
do with a message if the virus scanner coughs up a "failed" message, ie
deliver, quarantine, delete, bounce, forward, etc.  In thinking about it
I would have the default be deliver (what happens now), because if a
virus scanner got screwed up and failed on everything -- all of the
other settings would be a train wreck.  I would rather have some infected
PCs to clean up instead of 20K messages falling on the floor.

Probably your headache is determining what a failed virus scan is from
each of the many anti-virus products out there.  Probably all of them
have different return codes for failure situations.  Then there is the
case of what to do anti-virus "a" fails but anti-virus "b" says the
message is ok.  Then what?

--- Jeff Earickson
    Colby College

On Fri, 12 Sep 2003, Julian Field wrote:

> Date: Fri, 12 Sep 2003 02:49:18 +0100
> From: Julian Field <mailscanner at ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Whoa!! "Virus Scan failed"  What?
>
> At 19:01 11/09/2003, you wrote:
> >On Thu, 2003-09-11 at 18:34, Jeff A. Earickson wrote:
> >
> > >Sep 11 12:40:07 basalt <22>MailScanner[17224]: ERROR:: Virus scan
> > >failed
> > >(514):: ./h8BGdlAn026143/.pdf
> >
> >This has been discussed in the last few days, there are certain pdfs
> >Sophos has problems with.
> >
> > >Whoa...  The virus scan failed, so the email got delivered?  This seems
> > >like a Bad Thing (tm).
> >
> >It might also seem like a bad thing if a regular update screwed your
> >scanner and so all mail was rejected?
> >You're running clam too, which presumably didn't fail and returned a
> >clean result?  I think the answer is to run multiple scanners, but I'd
> >be interested in knowing the logic here.  We know that any scanner finds
> >a virus the mail is 'infected', but presumably if one fails to scan but
> >the other one doesn't find anything it assumes clean?  That seems
> >sensible to me.
>
> Given all the above, what would you like it to do? At the moment it logs
> the fact that something nasty happened, but doesn't actually remove the
> file from the message. I guess you would like it to be removed, am I
> correct? The snag is that with SophosSAVI you can't specify the "allowed
> error messages" so all files it didn't like (such as quite a lot of
> non-Acrobat-generated PDF files) would always get trapped.
>
> Let me know your thoughts...



More information about the MailScanner mailing list