This article applies to:
- Trustwave ECM/MailMarshal Exchange
- Trustwave MailMarshal (SEG) 7.X and below
- Microsoft Excel
- Sophos Anti-Virus (SAVI)
- Note: This article does not apply to Sophos for Marshal
Symptoms:
- Sophos Anti-Virus blocks password-protected Microsoft Excel spreadsheets.
- When using Sophos Anti-Virus (SAVI) with MailMarshal, some Excel spreadsheets get quarantined under the virus scanning rule.
- Files do not appear as virus-infected when virus scanning is run manually.
Causes:
When Sophos Anti-Virus (SAVI) encounters a file that it cannot scan (such as a password-protected Microsoft Excel spreadsheet), SAVI will return an error code.
- In MailMarshal SMTP versions 5.0 and earlier, and MailMarshal Exchange 5.X, the codes are numeric. Password protected files return a code of 1. (A full list of SAVI return codes is included at the end of this knowledge base article.)
- In MailMarshal SMTP 5.5 and up, and MailMarshal Exchange 7.X, the return code is handled internally and a GUI interface allows you to select options.
In versions 5.5 and up, MailMarshal will quarantine a message when it receives any return code greater than 0 from the virus scanner.
In version 5.0, the messages are put in the \Deadletter\Unpacking folder. (Please refer to Q10369 : How do I configure Virus Scanners in MailMarshal? for more information on virus scanning in MailMarshal).
The rationale here is that if a file cannot be scanned, it cannot be guaranteed to be virus-free.
Information:
To prevent password-protected Microsoft Excel spreadsheets from being blocked:
Trustwave MailMarshal (SEG) 5.5 and above, MailMarshal Exchange 7.X
Please see the following Knowledge Base article for available options:
- Q10638: Messages that do not contain viruses are blocked by the 'Block Virus' rule.
MailMarshal Exchange 5.X and MailMarshal SMTP 5.0
You can run Sophos Anti-Virus twice:
- The first rule checks for virus errors:
- Set up the Sophos Anti-Virus scanner as normal, and, in the Virus Scanner properties, set it to trigger on a return code of
5.
- Create a normal virus scanning rule and make sure this rule is run prior to the second rule below.
- The second rule checks for non-virus errors:
- Set up Sophos Anti-Virus a second time using an external command that points to the same MMSAVI.dll, but is setup to trigger when the return code is greater than
0.
- Create a rule that moves the messages to a specific folder and uses an e-mail template such as
"Your message encountered problems, please contact the Administrator to arrange for its release.....".
- It is also a good idea to quarantine these messages, as Sophos Anti-Virus could not scan them nor guarantee them to be free of viruses.
Your virus scanning rules should look similar to these:
Standard Rule: Virus Check
When a message arrives
Where the message is addressed to or from any user
Where message contains a virus
Send a Administrator Virus; Virus In notification message
And move the message to Virus
Standard Rule: Sophos Error Check
When a message arrives
Where the message is addressed to or from any user
Where the external command Sophos Error Check is triggered
Send a Error Scanning notification message
And move the message to Suspect
Note: When configuring the rules above, it is important that you use the correct SAVI return codes:
Sophos Return Codes for MailMarshal SMTP 5.0, MailMarshal Exchange 5.X
0 SAVI_OK
1 SAVI_PASSWORD
2 SAVI_CORRUPT
3 SAVI_ERROR
5 SAVI_VIRUS
This article was previously published as: - NETIQKB29177
- Marshal KB129