GFI E-mail Test with F-prot

[Stephen Lee]

On Sun, 2002-02-03 at 02:12, Julian Field wrote:
> At 09:52 03/02/2002, you wrote:
> >At 03:10 03/02/2002, you wrote:
> >>Has anyone tried the email test from
> >>http://www.gfi.com/emailsecuritytest for virus vulnerabilities?
> >>Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of
> >>the 6 infected messages were detected. The test included the following:
> >>
> >>o       VBS file vulnerability test
> >>o       CLSID extension vulnerability test
> >>o       MIME header vulnerability test
> >>o       ActiveX vulnerability test
> >>o       Malformed file extension vulnerability test (for Outlook 2002 -
> >>XP)
> >>o       CLSID extension vulnerability test (for Outlook 2002 - XP)
> >>
> >>Mailscanner only detected the MIME header and VBS payloads. What kind of
> >>adjustments can I make to catch the rest or is it an F-Prot issue?
>
> I've justed this lot on our own systems, using Eudora as the client on a
> properly patched Win2k system.
>
> The only one that I am vulnerable to at all is the CLSID extension test,
> and even that didn't really work as Eudora showed the entire filename,
> including the CLSID. However, if you want to block filenames ending in
> CLSID's, add  this to your filename.rules.conf (remember to separate the 4
> bits of the line with tab characters!):
>
> deny    \{[a-hA-H0-9-]{25,}\}$  Filename trying to hide it's real
> extension     Files ending in CLSID's are trying to hide their real extension
>
> The other tests just either failed to do anything at all, or left me
> staring at a message window full of (unexecuted) JavaScript which wasn't
> very exciting :-)
> --
> Julian Field                Teaching Systems Manager

Thanks Julian! The above rule took care of the CLSID extensions. I did
have to remove the "'" from "Filename trying to hide it's real
extension" to get mailscanner to start. I presume quoting the phrase
would have worked too.

Stephen