A cautionary tale of Sophos and MS

Mills Mr C P C.P.Mills at cranfield.ac.uk
Mon Feb 6 12:21:12 GMT 2006

I would block password protected by default. If password protected files can
not be scanned, they should not be allowed through automatically. Didn't
netsky (or was it sobig?) use a password protected zip with the password in
the body of the message to get around exactly this? Surely it won't take
long for virus writers to realise they can just create password protected
word files with dodgy macros in?

Perhaps a setting which defines seperatly what to do with password protected
files (including zips, word docs, excel spreads etc) would be helpful.
Personally, I would like to dump or quarantine them on the grounds I cannot
be sure they are clean. Or how about a generalised "Do something when virus
result = regexp" type tag which would allow people to define their own rules
for "corrupt", "password protected" etc?

Talking of which, I asked a question last week which no one seems to have
come up with a suggestion for. I want to dump all silent viruses, but
quarantine and notify about password protected files which could not be
scanned. Anyone have any ideas how?

Chris Mills, Cranfield University.

Christopher P. Mills – Cranfield University Shrivenham Campus
Defence College of Management and Technology
Defence Academy of the United Kingdom, Shrivenham, Swindon SN6 8LA
Tel: +44 (0)1793 785 633	Fax: +44 (0)1793 785 903

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Julian Field
> Sent: 06 February 2006 11:40
> To: MailScanner discussion
> Subject: Re: A cautionary tale of Sophos and MS
> On 6 Feb 2006, at 11:22, Peter Bates wrote:
> >
> > Hello all...
> >
> > I arrived in this morning to assorted clamouring about a lack of 
> > external email.
> >
> > Looking closer, I could see that after the autoupdate of Sophos on 
> > Saturday night just after midnight, the version was 'out of date'
> > so started throwing:
> >
> > Feb  4 00:08:03 postbox MailScanner[11382]: SophosSAVI::ERROR:: The 
> > main body of virus data is out of date (542)::
> > ./AE3CA13F8E4.6C3F0/msg-11382-11.txt
> >
> > End result was all our external (in/out) email over the weekend has 
> > disappeared into the great bitbucket in the sky as this was then 
> > tagged as a 'Silent virus' and not quarantined.
> >
> > Entirely my fault for not updating Sophos for a couple of 
> months, but 
> > might be something worth considering to include in 'Allowed Sophos 
> > Error Messages' if you're a Sophos user... that or still quarantine 
> > silent viruses and clear the quarantine out from time to time.
> Eek! Sorry that happened. I have added that text to the list 
> I supply in the sample line just above the real line.
> Do you think I should make the default setting this:
> Allowed Sophos Error Messages = "corrupt", "format not 
> supported", "File was encrypted", "The main body of virus 
> data is out of date"
> Any there that shouldn't be there by default?
> Your thoughts please...
> - --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store PGP 
> footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Version: PGP Desktop 9.0.4 (Build 4042)
> iQEVAwUBQ+c1m/w32o+k+q+hAQHW4Af/SH6g8rlzZSvNhs50rSqAx2vPukX1S/Ma
> 9CC/kxAy4FiWildo15BS4ZQ/xpDU/8EwM67HuwPyXdxB2TjEYZC7lLAByIMhrzcU
> pmz9Tzpr6TxXsfaGa+Id8E5mcHPe6g+NjddGCkrDl8c+/ZnXou14kVsYv4UpYwsK
> 1BcnbtgjfI6H85lU2h6UUHOwEnvY1NZSxJQtUXhgQgIA8Vdm5cnkJZNK7XpV5hh/
> gMqx+WF4fpd+TMOPfROoFyiZJ7FFsIGx1GyjOx9yyuYnPDZ9DbwUybitIZ8KcbZZ
> gnRqSUma/d+jX7iXXIq/gFLa7F+15bcpodYYeCJX7wPWSQpKBzd9ag==
> =WZ43
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website! 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3094 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060206/b4243044/smime.bin

More information about the MailScanner mailing list