Sophos killing protected Excel spreadsheets

[Anthony Peacock]

Hi,

I would first have a look at the following MailScanner configuration 
setting:

"Allowed Sophos Error Messages ="

> Julian,
> 
> Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav 0.85.1
> (clamavmodule).
> 
> A password protected Excel spreadsheet is getting stopped by Sophos
> with the MailScanner report saying:
> 
>     SophosSAVI: 94237001F.xls caused an error: File was encrypted
>     (530)
> 
> and the user is howling because they can't email their spreadsheet. I
> ran the Excel file thru sweep by hand, eg:
> 
>     === Checking 94237001F.xls with Sophos sweep
>     SWEEP virus detection utility
>     Version 3.94.0 [Solaris/SPARC]
>     Virus data version 3.94, June 2005
>     Includes detection for 105167 viruses, trojans and worms
>     Copyright (c) 1989-2005 Sophos Plc, www.sophos.com
> 
>     System time 11:03:52, System date 02 June 2005
>     Command line qualifiers are: -sc -f -all -rec -archive -loopback
>        --no-follow-symlinks --no-reset-atime -tnef
> 
>        (BTW, do these settings match MS?  Where to find them in MS?)
> 
>     IDE directory is: /opt/sophos/ide
>     .....
>     Full Sweeping
> 
>     Password protected file 94237001F.xls
> 
>     1 file swept in 3 seconds.
>     1 error was encountered.
>     No viruses were discovered.
>     1 encrypted file was not checked.
>     End of Sweep.
> 
> And sweep gives back a return code of 2.  This problem just started in
> the last month, eg Sophos 3.93.2 and 3.94 releases.
> 
> The user has a spreadsheet where the Tools -> Protection -> Protect
> Sheet feature of Excel has been used and a password was entered here. 
> She doesn't know the password.  We cracked it and an unprotected
> version of the file gets a zero return code from Sophos.  ClamAV has
> no problems with either version of the file.
> 
> I have "Block Encrypted Messages = no" in the MailScanner.conf file.
> 
> Suggestions please?  Anything that could be done with MailScanner?
> Does MS only look at zero/non-zero return codes from the virus
> scanners to determine virus or not?  Or does it consider non-zero
> return codes, eg "2 means encrypted" (I'm guessing here)?
> 
> Jeff Earickson
> Colby College
> 
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
> mailscanner' in the body of the email. Before posting, read the Wiki
> (http://wiki.mailscanner.info/) and the archives
> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!
> 


-- 
Anthony Peacock       
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"It is easy to be blinded to the essential uselessness of
computers by the sense of accomplishment you get from
getting them to work at all." -- Douglas Adams

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!