Sophos killing protected Excel spreadsheets
Julian Field
MailScanner at ecs.soton.ac.uk
Thu Jun 2 17:04:47 IST 2005
On 2 Jun 2005, at 16:55, Anthony Peacock wrote:
> Hi,
>
>
>> Oh happy day! Would I just set this to:
>>
>> Allowed Sophos Error Messages = "File was encrypted"
>>
>> That's it??
>>
>
> I haven't used it for this particular error message, but did use it a
> while back for "Corrupt".
>
> What you have above would fit the documented behaviour of that
> setting.
The "Allowed Sophos Error Messages" is currently not applied to the
sophossavi scanner, only the sophos scanner.
Would you like me to add some code to implement the same support in
sophossavi?
>> On Thu, 2 Jun 2005, Anthony Peacock wrote:
>>> Date: Thu, 2 Jun 2005 16:43:51 +0100
>>> From: Anthony Peacock <a.peacock at CHIME.UCL.AC.UK>
>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK> To:
>>> MAILSCANNER at JISCMAIL.AC.UK Subject: Re: Sophos killing protected
>>> Excel spreadsheets
>>>
>>> Hi,
>>>
>>> I would first have a look at the following MailScanner configuration
>>> setting:
>>>
>>> "Allowed Sophos Error Messages ="
>>>
>>>
>>>> Julian,
>>>>
>>>> Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav
>>>> 0.85.1 (clamavmodule).
>>>>
>>>> A password protected Excel spreadsheet is getting stopped by Sophos
>>>> with the MailScanner report saying:
>>>>
>>>> SophosSAVI: 94237001F.xls caused an error: File was encrypted
>>>> (530)
>>>>
>>>> and the user is howling because they can't email their spreadsheet.
>>>> I ran the Excel file thru sweep by hand, eg:
>>>>
>>>> === Checking 94237001F.xls with Sophos sweep
>>>> SWEEP virus detection utility
>>>> Version 3.94.0 [Solaris/SPARC]
>>>> Virus data version 3.94, June 2005
>>>> Includes detection for 105167 viruses, trojans and worms
>>>> Copyright (c) 1989-2005 Sophos Plc, www.sophos.com
>>>>
>>>> System time 11:03:52, System date 02 June 2005
>>>> Command line qualifiers are: -sc -f -all -rec -archive
>>>> -loopback
>>>> --no-follow-symlinks --no-reset-atime -tnef
>>>>
>>>> (BTW, do these settings match MS? Where to find them in
>>>> MS?)
>>>>
>>>> IDE directory is: /opt/sophos/ide
>>>> .....
>>>> Full Sweeping
>>>>
>>>> Password protected file 94237001F.xls
>>>>
>>>> 1 file swept in 3 seconds.
>>>> 1 error was encountered.
>>>> No viruses were discovered.
>>>> 1 encrypted file was not checked.
>>>> End of Sweep.
>>>>
>>>> And sweep gives back a return code of 2. This problem just started
>>>> in the last month, eg Sophos 3.93.2 and 3.94 releases.
>>>>
>>>> The user has a spreadsheet where the Tools -> Protection -> Protect
>>>> Sheet feature of Excel has been used and a password was entered
>>>> here. She doesn't know the password. We cracked it and an
>>>> unprotected version of the file gets a zero return code from
>>>> Sophos. ClamAV has no problems with either version of the file.
>>>>
>>>> I have "Block Encrypted Messages = no" in the MailScanner.conf
>>>> file.
>>>>
>>>> Suggestions please? Anything that could be done with MailScanner?
>>>> Does MS only look at zero/non-zero return codes from the virus
>>>> scanners to determine virus or not? Or does it consider non-zero
>>>> return codes, eg "2 means encrypted" (I'm guessing here)?
>>>>
>>>> Jeff Earickson
>>>> Colby College
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>> 'leave mailscanner' in the body of the email. Before posting, read
>>>> the Wiki (http://wiki.mailscanner.info/) and the archives
>>>> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>>
>>> --
>>> Anthony Peacock
>>> CHIME, Royal Free & University College Medical School
>>> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
>>> "It is easy to be blinded to the essential uselessness of
>>> computers by the sense of accomplishment you get from
>>> getting them to work at all." -- Douglas Adams
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
>>> mailscanner' in the body of the email. Before posting, read the Wiki
>>> (http://wiki.mailscanner.info/) and the archives
>>> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> ------------------------ MailScanner list ------------------------ To
>> unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
>> mailscanner' in the body of the email. Before posting, read the Wiki
>> (http://wiki.mailscanner.info/) and the archives
>> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>
> --
> Anthony Peacock
> CHIME, Royal Free & University College Medical School
> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
> "In the beginning of a change, the patriot is a brave and scarce man,
> hated and scorned. When the cause succeeds, however, the timid join
> him...for then it costs nothing to be a patriot." -Mark Twain
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list