Potential issue with docx format and Clam

Mon Apr 20 15:03:39 IST 2009

I have just changed the default to 8. Thanks for letting me know about 
this one.

On 20/04/2009 14:56, Jeff A. Earickson wrote:
> Found this one...  The setting I needed was:
>
> Maximum Archive Depth = 3
>
> I changed this to 8 and things started working for the Office 2007 crowd.
>
> Jeff Earickson
> Colby College
>
> On Mon, 20 Apr 2009, Martin Hepworth wrote:
>
>> Date: Mon, 20 Apr 2009 13:47:23 +0100
>> From: Martin Hepworth <maxsec at gmail.com>
>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> Subject: Re: Potential issue with docx format and Clam
>>
>> Jeff
>> what happens if you use Clamd rather than the module so you can update
>> quicker (no reliance on module maintainers releasing a new version) 
>> and MS
>> children are smaller and startup faster?
>>
>> -- 
>> Martin Hepworth
>> Oxford, UK
>>
>> 2009/4/20 Jeff A. Earickson <jaearick at colby.edu>
>>
>>> Julian,
>>>
>>> I'm forwarding along a note from our support desk people, who seem to
>>> have uncovered an issue with Office 2007/2008 docx file formats and
>>> the ClamAV recursion level.  In my case, I am running MS 4.75.9-2 with
>>>
>>> ClamAVmodule Maximum Recursion Level = 8
>>>
>>> Adam's detective work below suggests that this setting may be too low
>>> for Office 2007/2008 docx attachments.  Anybody else seen this?
>>>
>>> (Time for me to upgrade to the latest stable version, or the latest 
>>> beta).
>>>
>>> Jeff Earickson
>>> Colby College
>>>
>>> ---------- Forwarded message ----------
>>>
>>> I did some experimenting with this situation [rejections of email with
>>> "Report: MailScanner: Message contained archive nested too deeply" 
>>> messages]
>>> and here is what I found:
>>>
>>> - As you may or may not know the new Office 2007/2008 file format is 
>>> really
>>> just a renamed .zip file containing other files and folders that 
>>> make up
>>> the
>>> document.
>>>
>>> - If you insert an object into a .docx that is, for instance, a 
>>> PowerPoint
>>> slide it is inserted as a .pptx (again, just a .zip with a different
>>> extension).
>>>
>>> - If that slide contains an inserted Excel table, it is inserted as 
>>> a .xlsx
>>> (.zip).
>>>
>>> - So if you add all those up you have the original .docx, which 
>>> contains a
>>> folder called "embedded", in that folder is a .pptx file, inside 
>>> that is a
>>> folder called "embedded", in that folder is a .xlsx file, inside 
>>> that is a
>>> series of files and folders.  So all that added up is 7 layers.
>>>
>>> I was able to duplicate Todd's error with my own .docx, .pptx and 
>>> .xlsx,
>>> but
>>> I noticed that it had to be all three.  If I tried to email a .docx 
>>> with
>>> just a PowerPoint slide embedded it went fine.  And if I tried to 
>>> email a
>>> .pptx with an embedded Excel Table that went fine too.  So it seems as
>>> though we may need to adjust some settings on MailScanner to allow 
>>> for this
>>> type of file to pass because as we convert more and more people to 
>>> Office
>>> 2007/2008 we are going to be more likely to run into these types of
>>> situations.
>>>
>>> ------------
>>> Adam Nielsen
>>> Faculty and Staff Support Center
>>> x4222
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.