GFI E-mail Test with F-prot

Rose, Bobby brose at MED.WAYNE.EDU
Sun Feb 3 17:38:09 GMT 2002

Their .hta attachment made it thru and after checking mailscanner is
letting any attachment thru that ends in a period.  So a rule for
trailing periods might be needed also.  This seems to work on that note.

deny    \.$             Deny all attachments with trailing periods
Files ending in periods are considered malformed and attempt to hide the
real filename extension.

-----Original Message-----
From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK] 
Sent: Sunday, February 03, 2002 5:13 AM
Subject: Re: GFI E-mail Test with F-prot

At 09:52 03/02/2002, you wrote:
>At 03:10 03/02/2002, you wrote:
>>Has anyone tried the email test from 
>> for virus vulnerabilities? Using 
>>Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of the

>>6 infected messages were detected. The test included the following:
>>o       VBS file vulnerability test
>>o       CLSID extension vulnerability test
>>o       MIME header vulnerability test
>>o       ActiveX vulnerability test
>>o       Malformed file extension vulnerability test (for Outlook 2002
>>o       CLSID extension vulnerability test (for Outlook 2002 - XP)
>>Mailscanner only detected the MIME header and VBS payloads. What kind 
>>of adjustments can I make to catch the rest or is it an F-Prot issue?

I've justed this lot on our own systems, using Eudora as the client on a
properly patched Win2k system.

The only one that I am vulnerable to at all is the CLSID extension test,
and even that didn't really work as Eudora showed the entire filename,
including the CLSID. However, if you want to block filenames ending in
CLSID's, add  this to your filename.rules.conf (remember to separate the
4 bits of the line with tab characters!):

deny    \{[a-hA-H0-9-]{25,}\}$  Filename trying to hide it's real
extension     Files ending in CLSID's are trying to hide their real

The other tests just either failed to do anything at all, or left me
staring at a message window full of (unexecuted) JavaScript which wasn't
very exciting :-)
Julian Field                Teaching Systems Manager
jkf at         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list