Sophos killing protected Excel spreadsheets

Jeff A. Earickson jaearick at COLBY.EDU
Thu Jun 2 16:49:20 IST 2005


Oh happy day!  Would I just set this to:

Allowed Sophos Error Messages = "File was encrypted"

That's it??

Jeff

On Thu, 2 Jun 2005, Anthony Peacock wrote:

> Date: Thu, 2 Jun 2005 16:43:51 +0100
> From: Anthony Peacock <a.peacock at CHIME.UCL.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sophos killing protected Excel spreadsheets
> 
> Hi,
>
> I would first have a look at the following MailScanner configuration
> setting:
>
> "Allowed Sophos Error Messages ="
>
>> Julian,
>>
>> Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav 0.85.1
>> (clamavmodule).
>>
>> A password protected Excel spreadsheet is getting stopped by Sophos
>> with the MailScanner report saying:
>>
>>     SophosSAVI: 94237001F.xls caused an error: File was encrypted
>>     (530)
>>
>> and the user is howling because they can't email their spreadsheet. I
>> ran the Excel file thru sweep by hand, eg:
>>
>>     === Checking 94237001F.xls with Sophos sweep
>>     SWEEP virus detection utility
>>     Version 3.94.0 [Solaris/SPARC]
>>     Virus data version 3.94, June 2005
>>     Includes detection for 105167 viruses, trojans and worms
>>     Copyright (c) 1989-2005 Sophos Plc, www.sophos.com
>>
>>     System time 11:03:52, System date 02 June 2005
>>     Command line qualifiers are: -sc -f -all -rec -archive -loopback
>>        --no-follow-symlinks --no-reset-atime -tnef
>>
>>        (BTW, do these settings match MS?  Where to find them in MS?)
>>
>>     IDE directory is: /opt/sophos/ide
>>     .....
>>     Full Sweeping
>>
>>     Password protected file 94237001F.xls
>>
>>     1 file swept in 3 seconds.
>>     1 error was encountered.
>>     No viruses were discovered.
>>     1 encrypted file was not checked.
>>     End of Sweep.
>>
>> And sweep gives back a return code of 2.  This problem just started in
>> the last month, eg Sophos 3.93.2 and 3.94 releases.
>>
>> The user has a spreadsheet where the Tools -> Protection -> Protect
>> Sheet feature of Excel has been used and a password was entered here.
>> She doesn't know the password.  We cracked it and an unprotected
>> version of the file gets a zero return code from Sophos.  ClamAV has
>> no problems with either version of the file.
>>
>> I have "Block Encrypted Messages = no" in the MailScanner.conf file.
>>
>> Suggestions please?  Anything that could be done with MailScanner?
>> Does MS only look at zero/non-zero return codes from the virus
>> scanners to determine virus or not?  Or does it consider non-zero
>> return codes, eg "2 means encrypted" (I'm guessing here)?
>>
>> Jeff Earickson
>> Colby College
>>
>> ------------------------ MailScanner list ------------------------ To
>> unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
>> mailscanner' in the body of the email. Before posting, read the Wiki
>> (http://wiki.mailscanner.info/) and the archives
>> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
> -- 
> Anthony Peacock
> CHIME, Royal Free & University College Medical School
> WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
> "It is easy to be blinded to the essential uselessness of
> computers by the sense of accomplishment you get from
> getting them to work at all." -- Douglas Adams
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list