Sophos killing protected Excel spreadsheets

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Thu Jun 2 16:40:46 IST 2005


Jeff

try ammending the

Allowed Sophos Error Messages = "corrupt", "format not supported"

In MailScanner.conf to

Allowed Sophos Error Messages = "corrupt", "format not supported", 
"Password protected file"

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Jeff A. Earickson wrote:
> Julian,
> 
> Setup: Solaris 9, MS 4.42.3, Sophos 3.93 (sophossavi), clamav 0.85.1
> (clamavmodule).
> 
> A password protected Excel spreadsheet is getting stopped by Sophos
> with the MailScanner report saying:
> 
>    SophosSAVI: 94237001F.xls caused an error: File was encrypted (530)
> 
> and the user is howling because they can't email their spreadsheet.
> I ran the Excel file thru sweep by hand, eg:
> 
>    === Checking 94237001F.xls with Sophos sweep
>    SWEEP virus detection utilityPassword protected file
>    Version 3.94.0 [Solaris/SPARC]
>    Virus data version 3.94, June 2005
>    Includes detection for 105167 viruses, trojans and worms
>    Copyright (c) 1989-2005 Sophos Plc, www.sophos.com
> 
>    System time 11:03:52, System date 02 June 2005
>    Command line qualifiers are: -sc -f -all -rec -archive -loopback
>       --no-follow-symlinks --no-reset-atime -tnef
> 
>       (BTW, do these settings match MS?  Where to find them in MS?)
> 
>    IDE directory is: /opt/sophos/ide
>    .....
>    Full Sweeping
> 
>    Password protected file 94237001F.xls
> 
>    1 file swept in 3 seconds.
>    1 error was encountered.
>    No viruses were discovered.
>    1 encrypted file was not checked.
>    End of Sweep.
> 
> And sweep gives back a return code of 2.  This problem just started in 
> the last month, eg Sophos 3.93.2 and 3.94 releases.
> 
> The user has a spreadsheet where the Tools -> Protection -> Protect Sheet
> feature of Excel has been used and a password was entered here.  She
> doesn't know the password.  We cracked it and an unprotected version
> of the file gets a zero return code from Sophos.  ClamAV has no problems 
> with either version of the file.
> 
> I have "Block Encrypted Messages = no" in the MailScanner.conf file.
> 
> Suggestions please?  Anything that could be done with MailScanner?
> Does MS only look at zero/non-zero return codes from the virus scanners
> to determine virus or not?  Or does it consider non-zero return codes,
> eg "2 means encrypted" (I'm guessing here)?
> 
> Jeff Earickson
> Colby College
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list