Configuration confusion: conflicting settings?

Mike Brudenell pmb1 at YORK.AC.UK
Thu Mar 18 14:51:13 GMT 2004 

Greetings -

I've just been upgrading to MailScanner-4.29.2 and have been reading in the
MailScanner.conf file about the new settings for password-protected Zips
etc.

I confess to being a bit confused about the possible directives and options
interact over password-protected Zips and also about the HTML exploits (eg,
as used by Bagle-Q)

Could someone help clarify the following two questions please?  (I hope I
find/include all the relevant directives!)


Q.  Password-protected Zip file settings
========================================
What I am trying to achieve is to have all viruses marked as silent *but*
to accept and deliver password-protected Zip archives (ie, not have them
vanish into thin air)...

Silent Viruses = HTML-IFrame All-Viruses HTML-Codebase
Still Deliver Silent Viruses = no
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/
Allow Password-Protected Archives = yes

According to the comments setting "Silent Viruses" to include "All-Viruses"
implicitly also includes the effect of its "Zip-Password".  I believe this
means that for a message including a password-protected archive:
    a)  the sender will NOT be notified;
    b)  no attempt at true disinfection will be made;
    c)  the recipient will NOT receive the message
        (because "Still Deliver Silent Viruses" is "no")

Am I right in thinking...

    If I were to set "Non-Forging Viruses" to include the "Zip-Password"
    keyword then the sender WOULD be warned?

    And that the recipient would still NOT receive the message?

Am I also right in thinking...

    The "Allow Password-Protected Archives" setting is ignored if either
    "Zip-Password" or "All-Viruses" is used in "Silent Viruses"?

    Or does setting "Allow Password-Protected Archives" to "yes" actually
    allow such messages to be delivered to the recipient, even if they are
    listed (explicitly or implicitly) in "Silent Viruses"?

Finally could someone give an example of the combination of settings to
allow password-protected Zips to be delivered whilst treating all viruses
as "silent"?



Q.  HTML exploit settings: silent v allowing v disarming
========================================================
Silent Viruses = HTML-IFrame All-Viruses HTML-Codebase
Still Deliver Silent Viruses = no
Allow Object Codebase Tags = disarm
Convert Dangerous HTML To Text = yes

As above I believe that specifying "HTML-Codebase" for "Silent Viruses"
(along with "Still Deliver Silent Viruses = no ") effectively makes such
messages disappear into thin air: the sender is not notifed and the message
is not delivered to the recipient.

Given this, does this mean that the setting of "Allow Object Codebase Tags"
is irrelevant?  That is, this directive's setting is only used if
"HTML-Codebase" is NOT listed in "Silent Viruses"?

If it's not ignored then how does it interact with the "Silent Viruses"
setting?  One says to not deliver the message to the recipient, whilst the
other means strip or disarm the dangerous tags and (presumably) then go on
to deliver the message to the recipient?



With many thanks,
    from a confoozed
        Mike Brudenell

--
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
Tel:+44-1904-433811  FAX:+44-1904-433740

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

More information about the MailScanner mailing list