Sophos killing protected Excel spreadsheets

Jeff A. Earickson jaearick at COLBY.EDU
Thu Jun 2 16:35:28 IST 2005 

Julian,

Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav 0.85.1
(clamavmodule).

A password protected Excel spreadsheet is getting stopped by Sophos
with the MailScanner report saying:

    SophosSAVI: 94237001F.xls caused an error: File was encrypted (530)

and the user is howling because they can't email their spreadsheet.
I ran the Excel file thru sweep by hand, eg:

    === Checking 94237001F.xls with Sophos sweep
    SWEEP virus detection utility
    Version 3.94.0 [Solaris/SPARC]
    Virus data version 3.94, June 2005
    Includes detection for 105167 viruses, trojans and worms
    Copyright (c) 1989-2005 Sophos Plc, www.sophos.com

    System time 11:03:52, System date 02 June 2005
    Command line qualifiers are: -sc -f -all -rec -archive -loopback
       --no-follow-symlinks --no-reset-atime -tnef

       (BTW, do these settings match MS?  Where to find them in MS?)

    IDE directory is: /opt/sophos/ide
    .....
    Full Sweeping

    Password protected file 94237001F.xls

    1 file swept in 3 seconds.
    1 error was encountered.
    No viruses were discovered.
    1 encrypted file was not checked.
    End of Sweep.

And sweep gives back a return code of 2.  This problem just started in 
the last month, eg Sophos 3.93.2 and 3.94 releases.

The user has a spreadsheet where the Tools -> Protection -> Protect Sheet
feature of Excel has been used and a password was entered here.  She
doesn't know the password.  We cracked it and an unprotected version
of the file gets a zero return code from Sophos.  ClamAV has no problems 
with either version of the file.

I have "Block Encrypted Messages = no" in the MailScanner.conf file.

Suggestions please?  Anything that could be done with MailScanner?
Does MS only look at zero/non-zero return codes from the virus scanners
to determine virus or not?  Or does it consider non-zero return codes,
eg "2 means encrypted" (I'm guessing here)?

Jeff Earickson
Colby College

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list