File Name and Rules inside archives

Rick Cooper rcooper at DWFORD.COM
Mon Dec 6 17:17:58 GMT 2004 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

About every few weeks someone asks about handling file name/type checks
within archives. It seems to me that this should be configurable the same as
general file name/type checks. Currently if you deny executable (.exe, .com,
etc) files they are disallowed within the archives too so your only answer
is to either allow them or not check content within archives. If there were
a rule set for handling types/names within archive you could have a rule set
that says, for instance :

deny    happy99\.exe$           "Happy" virus   "Happy" virus
allow \.exe#    -       -

Thus denying a file of .exe type that is known to be bad and allowing
others. Generally speaking you *should* be able to use a far less
restrictive test within archives, while denying known exploits. I have
attached a few patches that would allow this, for Julian's approval of
course. The flow should be as follows

 is the archive file it's self denied?
                yes - handle the denial
                no  - for each file within archive test against archivefilename rules
                        denied?
                                yes - handle the denial
                                no - pass the file
for the archive to get through it would have to pass both the file name
rules and archive file name rules

There appears to be virtually no discernable additional overhead to this
process

If you want to try the attached patches add the following to your
MailScanner.conf after applying the patches:

Below the "File Name Rules = " Line add

# Set where to find file name rules for files within archives.
# This allows file names to occur within an archive (eg. .zip) that would
# otherwise be denied. For example deny filename.exe but allow all other
# .exe files. this can be set to the same value as "Filename Rules" if
# you do not want to use special filename handling for files within
# an archive.
#
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!

Archive Filename Rules = %rules-dir%/Your-Archive-Filename-Rule-File


Below the "Filetype Rules = " Line add

# Set where to find the filetype ruleset for handling files as
# described above, WITHIN archive file (eg. .zip files).
# this allows a less restrictive type checking of files within archives
#
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
#
# To disable this feature, set this to just "Archive Filetype Rules =" or
set
# the location of the file command to a blank string.

Archive Filetype Rules = %rules-dir%/Your-Archive-Filename-Rule-File

and then of course create the rule files and the rule set files

Example Archive Filename rules file:

From: Trusted at trust.com /opt/MailScanner/etc/trusted.filename.rules.conf
FromOrTo: default       /opt/MailScanner/etc/filename.rules.conf

example trusted.filename.rules.conf file

deny    someknownvirus\.exe$    Known Virus     Known Virus
deny    \.wsf$  Windows Script File     Windows Script Files Are Prohibited


If this concept is too confusing (as suggested by Julian months ago) then I
will just keep this on my personal patches list, otherwise enjoy.

It just seems to me all checks against content within an archive should not
have to be disabled just to pass an .exe file within an archive.

Rick Cooper


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Application/OCTET-STREAM (Name: "Config.diff")  3.3KB. ]
    [ Unable to print this part. ]


    [ Part 3, Application/OCTET-STREAM (Name: "ConfigDefs.diff")  ]
    [ 479bytes. ]
    [ Unable to print this part. ]


    [ Part 4, Application/OCTET-STREAM (Name: "SweepOther.diff")  3.4KB. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list