[Mimedefang] false positive with filescan

alan premselaar alien at 12inch.com
Mon Feb 23 18:59:09 EST 2004


On 2/24/04 2:30 AM, "Lucas Albers" <admin at cs.montana.edu> wrote:

> Yesterday I had a user complained because a word doc was marked as
> 'suspicious' with filescan.
> I had the file quarantined, and ran it through with the scan.pl perl
> interface to File::Scan and it does not detect an suspicious items on the
> scan.
> Any idea how I can troubleshoot this?
> Do I need to save the raw work directory, when a suspicious item is
> detected, so I can determein the exact raw format it is scanning?
> Anyone have code to do this?
> 
> It is a very strange problem.
> It is the first time an item has been marked like this in 90K emails.
> I turned off blocking of items marked as suspicious with File::Scan, while
> I troubleshoot it.

Lucas,

  Originally when I implemented MIMEDefang, SpamAssassin, File::Scan, etc at
my offices, I had similar issues with word documents, excel documents and
misc. other documents.

Basically it was determined that File::Scan was just too paranoid to be used
reliably in that environment.  I switched to using CLAMAV and things have
been running smoothly ever since.

I'm sure this isn't the answer you're looking for, nor does it really answer
the question.  Hopefully you get some use out of it.

alan



More information about the MIMEDefang mailing list