GFI E-mail Test with F-prot
Stephen Lee
splee at PLEXIO.COM
Sun Feb 3 16:01:41 GMT 2002
On Sun, 2002-02-03 at 02:12, Julian Field wrote:
> At 09:52 03/02/2002, you wrote:
> >At 03:10 03/02/2002, you wrote:
> >>Has anyone tried the email test from
> >>http://www.gfi.com/emailsecuritytest for virus vulnerabilities?
> >>Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of
> >>the 6 infected messages were detected. The test included the following:
> >>
> >>o VBS file vulnerability test
> >>o CLSID extension vulnerability test
> >>o MIME header vulnerability test
> >>o ActiveX vulnerability test
> >>o Malformed file extension vulnerability test (for Outlook 2002 -
> >>XP)
> >>o CLSID extension vulnerability test (for Outlook 2002 - XP)
> >>
> >>Mailscanner only detected the MIME header and VBS payloads. What kind of
> >>adjustments can I make to catch the rest or is it an F-Prot issue?
>
> I've justed this lot on our own systems, using Eudora as the client on a
> properly patched Win2k system.
>
> The only one that I am vulnerable to at all is the CLSID extension test,
> and even that didn't really work as Eudora showed the entire filename,
> including the CLSID. However, if you want to block filenames ending in
> CLSID's, add this to your filename.rules.conf (remember to separate the 4
> bits of the line with tab characters!):
>
> deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide it's real
> extension Files ending in CLSID's are trying to hide their real extension
>
> The other tests just either failed to do anything at all, or left me
> staring at a message window full of (unexecuted) JavaScript which wasn't
> very exciting :-)
> --
> Julian Field Teaching Systems Manager
Thanks Julian! The above rule took care of the CLSID extensions. I did
have to remove the "'" from "Filename trying to hide it's real
extension" to get mailscanner to start. I presume quoting the phrase
would have worked too.
Stephen
More information about the MailScanner
mailing list