[exim] Malware acl condition: sophie reported error

Top Pagina
Delete this message
Reply to this message
Auteur: Ken Tucker
Datum:  
Aan: exim-users
Onderwerp: [exim] Malware acl condition: sophie reported error
I wonder if you esteemed gentlemen can shed a light on this little problem for
me.

I have just built some new mail servers using Exim 4.60 and Sophie 3.05
(previous versions were old :-) )
I am periodically getting

malware acl condition: malware acl condition: sophie reported error

reports in my logs (sometimes several per minute).
Virus scanning is apparently working, they are getting recognised, but I
suspect
the problem has something to do with Mime attachments. Messages that trigger
this error report
get a temporary failure status, which means I could get to see them all over
again, repeatedly :-(

I can't find any info in the list archives or wiki, the scanning code from
malware.c in the exim source is

-----------------------
      /* infected ? */
      if (av_buffer[0] == '1') {
        if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0';
        Ustrcpy(malware_name_buffer,&av_buffer[2]);
        malware_name = malware_name_buffer;
      }
      else if (!strncmp(CS av_buffer, "-1", 2)) {
        log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: malware acl condition: sophie reported
error");
        return DEFER;
      }
      else {
        /* all ok, no virus */
        malware_name = NULL;
      };
-----------------------


Which implies sophie has returned a -1 status code. My Mime ACL looks like

-----------------------
check_mime:

# Too many MIME parts
#
  deny
  condition      = ${if >{$mime_part_count}{1024}{yes}{no}}
  message       = Too many MIME parts (max 1024)
  log_message = DENY: MIME Error (Too many MIME parts: $mime_part_count)


# Excessive line length
#
  deny
  regex       = ^.{1024}
  message     = MIME error: Line length in message or single header exceeds
1024.
  log_message = DENY: MIME Error (Maximum line length exceeded)


# Partial message
#
  deny
  condition   = ${if eq {$mime_content_type}{message/partial}{yes}{no}}
  message     = MIME error: MIME type message/partial not allowed here
  log_message = DENY: MIME Error (MIME type message/partial found)


warn decode = default

  deny message = This message has been rejected because it has\n\
      \ta prohibited file extension (${extract{-1}{.}{${lc:$mime_filename}}})
   log_message= Rejected due to potential executable content
(${extract{-1}{.}{${lc:$mime_filename}}})
   condition       = ${if
match{${extract{-1}{.}{${lc:$mime_filename}}}}{\N^(BAD_ATTACHMENTS)$\N}{1}{0}}


accept


#!!# ACL that is used after the DATA command

check_message:

  # Reject virus infected messages.
  #Add a header to show that message has been virus scanned
  warn     message    = X-Virus-Scanned: Cardiff University Sophos AV
  deny     message    = This message contains a virus or other harmful content
($malware_name).
           malware    = *


----------------------

Hope that's enough info. I look forward to any insights you can provide.
Thanks

Ken


--------------------------------------------------------------
Ken Tucker BA MBCS CITP
Senior Engineer - Mail Systems
University Infrastructure Group
Information Services
Cardiff University
[www.cf.ac.uk]
Tel : 029 2087 5015
--------------------------------------------------------------