Sophos killing protected Excel spreadsheets

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jun 2 16:50:52 IST 2005 

The Sophos command-line switches (for the 'sophos' scanner) are
-sc -f -all -rec -ss -archive -loopback --no-follow-symlinks --no- 
reset-atime -TNEF

You find them from the "ScanOptions" + "CommonOptions" in  
SweepViruses.pm + whatever may be specified in addition in /usr/lib/ 
MailScanner/sophos-wrapper.

For the sophossavi scanner, the options are set by this bit of code:

   my @options = qw(
       FullSweep DynamicDecompression FullMacroSweep OLE2Handling
       IgnoreTemplateBit VBA3Handling VBA5Handling OF95DecryptHandling
       HelpHandling DecompressVBA5 Emulation PEHandling  
ExcelFormulaHandling
       PowerPointMacroHandling PowerPointEmbeddedHandling  
ProjectHandling
       ZipDecompression ArjDecompression RarDecompression  
UueDecompression
       GZipDecompression TarDecompression CmzDecompression  
HqxDecompression
       MbinDecompression !LoopBackEnabled
       Lha SfxArchives MSCabinet TnefAttachmentHandling MSCompress
       !DeleteAllMacros Vbe !ExecFileDisinfection VisioFileHandling
       Mime ActiveMimeHandling !DelVBA5Project
       ScrapObjectHandling SrpStreamHandling Office2001Handling
       Upx PalmPilotHandling HqxDecompression
       Pdf Rtf Html Elf WordB OutlookExpress
     );
   my $error = $SAVI->set('MaxRecursionDepth', 30, 1);

The "Encrypted Messages" options in MailScanner are designed to pick  
up things like SMIME messages and PGP encrypted messages. They are  
not relevant to your problem here.

What I suspect you are looking for is the "Allowed Sophos Error  
Messages" option in MailScanner.conf. The doc for this is:
# Anything on the next line that appears in brackets at the end of a  
line
# of output from Sophos will cause the error/infection to be ignored.
# Use of this option is dangerous, and should only be used if you are  
having
# trouble with lots of corrupt PDF files, for example.
# If you need to specify more than 1 string to find in the error  
message,
# then put each string in quotes and separate them with a comma.
# For example:
#Allowed Sophos Error Messages = "corrupt", "format not supported"

Let me know if this helps or whether you actually need a change in  
the MailScanner code. The allowed-error-messages code was written  
quite a long time ago, and Sophos may have changed their output  
since, making this option useless to you.


On 2 Jun 2005, at 16:35, Jeff A. Earickson wrote:

> Julian,
>
> Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav 0.85.1
> (clamavmodule).
>
> A password protected Excel spreadsheet is getting stopped by Sophos
> with the MailScanner report saying:
>
>    SophosSAVI: 94237001F.xls caused an error: File was encrypted (530)
>
> and the user is howling because they can't email their spreadsheet.
> I ran the Excel file thru sweep by hand, eg:
>
>    === Checking 94237001F.xls with Sophos sweep
>    SWEEP virus detection utility
>    Version 3.94.0 [Solaris/SPARC]
>    Virus data version 3.94, June 2005
>    Includes detection for 105167 viruses, trojans and worms
>    Copyright (c) 1989-2005 Sophos Plc, www.sophos.com
>
>    System time 11:03:52, System date 02 June 2005
>    Command line qualifiers are: -sc -f -all -rec -archive -loopback
>       --no-follow-symlinks --no-reset-atime -tnef
>
>       (BTW, do these settings match MS?  Where to find them in MS?)
>
>    IDE directory is: /opt/sophos/ide
>    .....
>    Full Sweeping
>
>    Password protected file 94237001F.xls
>
>    1 file swept in 3 seconds.
>    1 error was encountered.
>    No viruses were discovered.
>    1 encrypted file was not checked.
>    End of Sweep.
>
> And sweep gives back a return code of 2.  This problem just started  
> in the last month, eg Sophos 3.93.2 and 3.94 releases.
>
> The user has a spreadsheet where the Tools -> Protection -> Protect  
> Sheet
> feature of Excel has been used and a password was entered here.  She
> doesn't know the password.  We cracked it and an unprotected version
> of the file gets a zero return code from Sophos.  ClamAV has no  
> problems with either version of the file.
>
> I have "Block Encrypted Messages = no" in the MailScanner.conf file.
>
> Suggestions please?  Anything that could be done with MailScanner?
> Does MS only look at zero/non-zero return codes from the virus  
> scanners
> to determine virus or not?  Or does it consider non-zero return codes,
> eg "2 means encrypted" (I'm guessing here)?
>
> Jeff Earickson
> Colby College
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list