[Mimedefang] RFC: better virus scanner status reporting?

James Ralston qralston+ml.mimedefang at andrew.cmu.edu
Tue Aug 12 01:57:01 EDT 2003


On 2003-08-10 at 22:25:30-0400 "David F. Skoll" <dfs at roaringpenguin.com> wrote:

> If the exit code "2" always means "encrypted", then I agree: An
> "encrypted" category is useful.  If an exit code of "2" could mean
> something else, then it becomes difficult to know how to handle this
> code.

I performed some testing (using Sophos Sweep 3.72, the latest version)
over several gigabytes of files.

Exit code "2" does not always mean "password protected".  It will also
be returned for certain PDF files, with an error message of either
"format not supported" or "unexpected error [0x80040202]".  It may
also be returned in other situations.

Even worse, if the "unexpected error [0x80040202]" condition is
encountered while processing an archive, processing of the entire
archive is aborted.  In testing, I was able to trivially construct ZIP
files which contained viruses that sweep failed to detect merely by
including one of the problematic PDF files first in the ZIP file.

Password protected files, and files that generate the "format not
supported" error, did not cause the processing of an archive file to
be aborted.

Is it worth it to create a separate $category to indicate "well, no
viruses were found, but since the virus scanner couldn't scan some
parts of this message, there may still be a virus in it"?

I can see arguments either way:

    Con: if sysadmins want to reject problematic (but supposedly
    clean) attachments, all they have to do is check for the condition
    ($code == 2 && $action eq 'ok'); there is no need to create a new
    $category.

    Pro: while a sysadmin with an in-depth knowledge of the virus
    scanner in question can easily interpret $code and
    $VirusScannerMessages himself, $category and $action exist so that
    sysadmins don't have to do that.  MIMEDefang should be able to
    tell the sysadmin "ok, but problematic" using $category and
    $action, especially since problematic attachments may not be
    clean.

For that matter, it might make sense to create another $action:
"permfail".  This would indicate that some quality of the message
reliably causes the virus scanner to croak, and that retrying at a
later time will not help.  (I would be very tempted to have "permfail"
returned whenever sweep generates "unexpected error [0x80040202]".)

Thoughts?

> I'd be happy to take you up on that offer [for patches]. :-) Could
> you please do patches relative to the latest beta?  It makes my life
> easier.

I'll provide patches against the latest beta once an appropriate
course of action can be determined.

Two other related things:

    1.  In response to:

        http://lists.roaringpenguin.com/pipermail/mimedefang/2002-January/000229.html

        I think -eec is relevant, because without it, it would appear
        that the "unsurvivable errors have occurred" condition will be
        expressed with a return code of 2, and thus cannot be
        distinguished from the "survivable errors have occurred"
        condition.  Would you object if I patched mimedefang.pl to use
        -eec?

    2.  It might be nice to provide a mechanism for mimedefang-filter
        to control the options used to invoke the virus scanner.

        For example, I locally patched our mimedefang.pl to not invoke
        sweep with the -archive flag.  I did this because my testing
        revealed that sweep is vulnerable to DoS attacks
        (specifically, resource exhaustion attacks) from malicious
        archive files.  If there were a mechanism in mimedefang-filter
        to tell mimedefang.pl what the options passed to the virus
        scanner should be, it would be easier for individual sysadmins
        to decide what options they wish to enable.

        This would also give sysadmins more rope to hang themselves
        (e.g., if they picked stupid options to pass to the virus
        scanner).  But one could argue there's plenty of rope in
        mimedefang-filter already.  ;)

Thoughts?

James

P.S.: Despite all of the problems I just enumerated with Sophos Sweep,
we're not dissatisfied with the product.  I'll report back to the list
Sophos' response when I report these problems to them.




More information about the MIMEDefang mailing list