Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 8 subscribers
  • Views 12403 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

savscan with named file fails to open file if it contains non-English characters.

Scott Jacobs

I have Sophos Antivirus for Linux, and use only the on-demand scanner savscan.

I call it automatically from Firefox from the plug-in Download Status Bar, every time I download a file.

I just looked at my output, from the terminal from which I invoked Firefox, and noticed that two of the files

I had downloaded were not scanned by savscan, with the message: "Could not open <filename>"

I noticed that the two filenames each had a )symbol embedded in the name that looked like a black square on its point

with a question mark in the middle.

When I looked at the directory where my downloads go, I found that at the point in the filename where the savscan

log showed the funny symbol, the actual filename contained a foreign letter: one was a German capital A with an umlaut,

and the other was an Italian e with a funny forward slash over it.

(One of the files also had double-quotes in it, but another file, successfully scanned by savscan, had double quotes,

but no foreign letters , so obviously the quotes were not the problem...

Also, the fact that the path and filenames often contained spaces was not a problem for all other downloads -

they scanned fine).

If I am able to insert a text file showing a snippet from the savscan log shown in the terminal, I will do so.

The log contains a merging of both scan attempts, with most of the IDE File lines excised, and with notations added showing

what the filenames ought to have been.

==================================================

scott@scott-ASUS-M2N68-AMPLUS:~$ uname -a
Linux scott-ASUS-M2N68-AMPLUS 4.10.0-21-generic #23-Ubuntu SMP Fri Apr 28 16:14:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
scott@scott-ASUS-M2N68-AMPLUS:~$ lsb_release -dsc
Ubuntu 17.04
zesty
scott@scott-ASUS-M2N68-AMPLUS:~$ echo $DESKTOP_SESSION
Lubuntu

sav-linux-free-9.tgz

SAVScan virus detection utility
Version 5.34.0 [Linux/AMD64]
Virus data version 5.40, May 2017
Includes detection for 13427236 viruses, Trojans and worms
Copyright (c) 1989-2017 Sophos Limited. All rights reserved.

System time 06:29:13 PM, System date 12 June 2017
Command line qualifiers are: -archive -eec -p=/data/scott/Documents/Sophos_AV/ScanLog.txt -ns -nc -all -b -di --quarantine -move=/data/quarantine

==================================================

Fullscreen 5661.SophosScanCannotReadForeignLetters.txt Download 
SAVScan virus detection utility
Version 5.34.0 [Linux/AMD64]
Virus data version 5.40, May 2017
Includes detection for 13427236 viruses, Trojans and worms
Copyright (c) 1989-2017 Sophos Limited. All rights reserved.

System time 06:29:13 PM, System date 12 June 2017
Command line qualifiers are: -archive -eec -p=/data/scott/Documents/Sophos_AV/ScanLog.txt -ns -nc -all -b -di --quarantine -move=/data/quarantine

IDE directory is: /opt/sophos-av/lib/sav

Using IDE file hawke-nx.ide
Using IDE file cerb-alb.ide
Using IDE file andro-rz.ide
Using IDE file rans-elk.ide
...
Using IDE file msil-jwe.ide
Using IDE file nymai-es.ide
Using IDE file betab-be.ide

Quick Scanning

Could not open /data/scott/Desktop/Link to SMTube/Die �rzte "Lasse Redn"

0 files scanned in 8 seconds.
1 error was encountered.
No viruses were discovered.
End of Scan.

---------------------------
Actual title of file:
Die Ärzte "Lasse Redn"

==================================================================
SAVScan virus detection utility
Version 5.34.0 [Linux/AMD64]
Virus data version 5.40, May 2017
Includes detection for 13427236 viruses, Trojans and worms
Copyright (c) 1989-2017 Sophos Limited. All rights reserved.

System time 07:31:58 PM, System date 12 June 2017
Command line qualifiers are: -archive -eec -p=/data/scott/Documents/Sophos_AV/ScanLog.txt -ns -nc -all -b -di --quarantine -move=/data/quarantine

IDE directory is: /opt/sophos-av/lib/sav

Using IDE file hawke-nx.ide
Using IDE file cerb-alb.ide
Using IDE file andro-rz.ide
...
Using IDE file msil-jwe.ide
Using IDE file nymai-es.ide
Using IDE file betab-be.ide

Quick Scanning

Could not open /data/scott/Desktop/Link to SMTube/Claudio Villa - Il mio paese � grande

0 files scanned in 7 seconds.
1 error was encountered.
No viruses were discovered.
End of Scan.
---------------------------
Actual title of file:
Claudio Villa - Il mio paese è grande



This thread was automatically locked due to age.
Parents
  • 0

    Hello Scott Jacobs,

    the funny forward slash (which would be an acute or acute accent) looks like a funny backward slash (grave or grave accent) to me.

    Anyway, I daresay that two of the files [you] had downloaded were not scanned by savscan because savscan hasn't been told to scan them in the first place, instead the plug-in passed the names with a substitution character. You can easily check that a correctly passed name is correctly processed by running the scan from the terminal.

    BTW: Any specific reason that you use only the on-demand scanner? Scanning a single file with savscan is quite expensive.

    Christian

Reply
  • 0

    Hello Scott Jacobs,

    the funny forward slash (which would be an acute or acute accent) looks like a funny backward slash (grave or grave accent) to me.

    Anyway, I daresay that two of the files [you] had downloaded were not scanned by savscan because savscan hasn't been told to scan them in the first place, instead the plug-in passed the names with a substitution character. You can easily check that a correctly passed name is correctly processed by running the scan from the terminal.

    BTW: Any specific reason that you use only the on-demand scanner? Scanning a single file with savscan is quite expensive.

    Christian

Children
  • 0 in reply to QC

    > looks like a funny backward slash (grave or grave accent) to me

    Yes.  I realized that just after I submitted.

     

    >...plug-in passed the names with a substitution character.

    I had not considered the possibility that the plug-in would do any processing of the filename,

    as all I was supposed to do was enter a %1 where the filename was supposed to go.

    Other than apparently obviously placing quotes around the filename (it seems to handle white space OK),

    I would not have expected it to do anything to it.

     

    >You can easily check...by running the scan from the terminal.

    I have done so, and savscan handles unusual characters just fine...

    Mea maxima culpa.  Sorry to have wasted your time.

    Looks like I need to aim my bug report in another direction...

     

    >BTW: Any specific reason that you use only the on-demand scanner? Scanning a single file with savscan is quite expensive.

    Yes, it seems to take 7-8 seconds before any output to the terminal.

    I just thought that the highest probability of getting a virus would be when I was downloading an infected file,

    and why bog the system down 24/7, when I don't even do much that much downloading?

  • 0 in reply to Scott Jacobs

    Hello Scott Jacobs,

    it seems to take 7-8 seconds
    it does take 7-8 seconds. savscan doesn't have a single item mode - it's intended for scanning collections of files, thus it first loads the detection data, optimizes them for use by the scanner, and initializes the scanning engine. 

    why bog the system down
    experience, myth, or assumption?
    Haven't done it but AFAIK you can even restrict On-Access scanning to certain parts of the file system. I don't even do much that much downloading - apart from the intended download the pages contain lots of active stuff, often permanently reloading    , redirecting, ... So malware doesn't need to travel in the downloaded file.

    Christian

Unfiltered HTML