Sophos killing protected Excel spreadsheets

Anthony Peacock a.peacock at CHIME.UCL.AC.UK
Thu Jun 2 16:55:05 IST 2005 

Hi,

> Oh happy day!  Would I just set this to:
> 
> Allowed Sophos Error Messages = "File was encrypted"
> 
> That's it??

I haven't used it for this particular error message, but did use it a 
while back for "Corrupt".

What you have above would fit the documented behaviour of that 
setting.





> 
> Jeff
> 
> On Thu, 2 Jun 2005, Anthony Peacock wrote:
> 
> > Date: Thu, 2 Jun 2005 16:43:51 +0100
> > From: Anthony Peacock <a.peacock at CHIME.UCL.AC.UK>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK> To:
> > MAILSCANNER at JISCMAIL.AC.UK Subject: Re: Sophos killing protected
> > Excel spreadsheets
> > 
> > Hi,
> >
> > I would first have a look at the following MailScanner configuration
> > setting:
> >
> > "Allowed Sophos Error Messages ="
> >
> >> Julian,
> >>
> >> Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav
> >> 0.85.1 (clamavmodule).
> >>
> >> A password protected Excel spreadsheet is getting stopped by Sophos
> >> with the MailScanner report saying:
> >>
> >>     SophosSAVI: 94237001F.xls caused an error: File was encrypted
> >>     (530)
> >>
> >> and the user is howling because they can't email their spreadsheet.
> >> I ran the Excel file thru sweep by hand, eg:
> >>
> >>     === Checking 94237001F.xls with Sophos sweep
> >>     SWEEP virus detection utility
> >>     Version 3.94.0 [Solaris/SPARC]
> >>     Virus data version 3.94, June 2005
> >>     Includes detection for 105167 viruses, trojans and worms
> >>     Copyright (c) 1989-2005 Sophos Plc, www.sophos.com
> >>
> >>     System time 11:03:52, System date 02 June 2005
> >>     Command line qualifiers are: -sc -f -all -rec -archive
> >>     -loopback
> >>        --no-follow-symlinks --no-reset-atime -tnef
> >>
> >>        (BTW, do these settings match MS?  Where to find them in
> >>        MS?)
> >>
> >>     IDE directory is: /opt/sophos/ide
> >>     .....
> >>     Full Sweeping
> >>
> >>     Password protected file 94237001F.xls
> >>
> >>     1 file swept in 3 seconds.
> >>     1 error was encountered.
> >>     No viruses were discovered.
> >>     1 encrypted file was not checked.
> >>     End of Sweep.
> >>
> >> And sweep gives back a return code of 2.  This problem just started
> >> in the last month, eg Sophos 3.93.2 and 3.94 releases.
> >>
> >> The user has a spreadsheet where the Tools -> Protection -> Protect
> >> Sheet feature of Excel has been used and a password was entered
> >> here. She doesn't know the password.  We cracked it and an
> >> unprotected version of the file gets a zero return code from
> >> Sophos.  ClamAV has no problems with either version of the file.
> >>
> >> I have "Block Encrypted Messages = no" in the MailScanner.conf
> >> file.
> >>
> >> Suggestions please?  Anything that could be done with MailScanner?
> >> Does MS only look at zero/non-zero return codes from the virus
> >> scanners to determine virus or not?  Or does it consider non-zero
> >> return codes, eg "2 means encrypted" (I'm guessing here)?
> >>
> >> Jeff Earickson
> >> Colby College
> >>
> >> ------------------------ MailScanner list ------------------------
> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> 'leave mailscanner' in the body of the email. Before posting, read
> >> the Wiki (http://wiki.mailscanner.info/) and the archives
> >> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> >
> >
> > -- 
> > Anthony Peacock
> > CHIME, Royal Free & University College Medical School
> > WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
> > "It is easy to be blinded to the essential uselessness of
> > computers by the sense of accomplishment you get from
> > getting them to work at all." -- Douglas Adams
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
> > mailscanner' in the body of the email. Before posting, read the Wiki
> > (http://wiki.mailscanner.info/) and the archives
> > (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
> 
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
> mailscanner' in the body of the email. Before posting, read the Wiki
> (http://wiki.mailscanner.info/) and the archives
> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!
> 


-- 
Anthony Peacock       
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"In the beginning of a change, the patriot is a brave and scarce man,
hated and scorned. When the cause succeeds, however, the timid join
him...for then it costs nothing to be a patriot." -Mark Twain

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list