[Avcheck] big archives
Michael Tokarev
mjt@tls.msk.ru
Mon, 17 Jun 2002 21:54:48 +0400
[Please excuse me for long delay]
Max Kalika wrote:
>
> Greetings. We have a system here working semi-well with avcheck and
> sophie. (I know sophie support is supposed to be weak at the moment, but
> the only thing that got through so far is .sit files).
>
> Anyway. I have a more general question. I tried sending a tarball of 1GB
> of compressed zeros (which ends up being slightly less than 1MB) to see
> what would happen if an extracted attachment fills the partition. I get
> this in the log:
>
> relay=avcheck, delay=367, status=deferred (temporary failure. Command
> output: avcheck: error in Sophie: return code -1
>
> The message gets queued and postfix tries it again later. I assume that it
> would timeout after a while and get bounced. Does anyone have a cleaner
> way of handling this? Do any other scanning agents have the ability to
> deal with enormous archives?
I think the best method for now is to ignore error return from sophie/sophos --
until their software will be fixed. That is, just treat -1 return just like
there is no viruses.
It's not "sophie support" in avcheck that is "weak", but sophos antivirus is
unable to handle mime/email format properly.
BTW, try out drweb - it has good protection against such bad input.
/mjt