I wonder if you esteemed gentlemen can shed a light on this little problem for
me.
I have just built some new mail servers using Exim 4.60 and Sophie 3.05
(previous versions were old :-) )
I am periodically getting
malware acl condition: malware acl condition: sophie reported error
reports in my logs (sometimes several per minute).
Virus scanning is apparently working, they are getting recognised, but I
suspect
the problem has something to do with Mime attachments. Messages that trigger
this error report
get a temporary failure status, which means I could get to see them all over
again, repeatedly :-(
I can't find any info in the list archives or wiki, the scanning code from
malware.c in the exim source is
-----------------------
/* infected ? */
if (av_buffer[0] == '1') {
if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0';
Ustrcpy(malware_name_buffer,&av_buffer[2]);
malware_name = malware_name_buffer;
}
else if (!strncmp(CS av_buffer, "-1", 2)) {
log_write(0, LOG_MAIN|LOG_PANIC,
"malware acl condition: malware acl condition: sophie reported
error");
return DEFER;
}
else {
/* all ok, no virus */
malware_name = NULL;
};
-----------------------
Which implies sophie has returned a -1 status code. My Mime ACL looks like
-----------------------
check_mime:
# Too many MIME parts
#
deny
condition = ${if >{$mime_part_count}{1024}{yes}{no}}
message = Too many MIME parts (max 1024)
log_message = DENY: MIME Error (Too many MIME parts: $mime_part_count)
# Excessive line length
#
deny
regex = ^.{1024}
message = MIME error: Line length in message or single header exceeds
1024.
log_message = DENY: MIME Error (Maximum line length exceeded)
# Partial message
#
deny
condition = ${if eq {$mime_content_type}{message/partial}{yes}{no}}
message = MIME error: MIME type message/partial not allowed here
log_message = DENY: MIME Error (MIME type message/partial found)
warn decode = default
deny message = This message has been rejected because it has\n\
\ta prohibited file extension (${extract{-1}{.}{${lc:$mime_filename}}})
log_message= Rejected due to potential executable content
(${extract{-1}{.}{${lc:$mime_filename}}})
condition = ${if
match{${extract{-1}{.}{${lc:$mime_filename}}}}{\N^(BAD_ATTACHMENTS)$\N}{1}{0}}
accept
#!!# ACL that is used after the DATA command
check_message:
# Reject virus infected messages.
#Add a header to show that message has been virus scanned
warn message = X-Virus-Scanned: Cardiff University Sophos AV
deny message = This message contains a virus or other harmful content
($malware_name).
malware = *
----------------------
Hope that's enough info. I look forward to any insights you can provide.
Thanks
Ken
--------------------------------------------------------------
Ken Tucker BA MBCS CITP
Senior Engineer - Mail Systems
University Infrastructure Group
Information Services
Cardiff University
[
www.cf.ac.uk]
Tel : 029 2087 5015
--------------------------------------------------------------
