Questions...

[Rob Poe]

I got around the problem.  It seems as though F-Prot for linux was not
opening the .zip file and scanning it.

I set the archive depth to 0, password zips to disallowed and installed
CLAM-AV (alongside F-Prot..Why not, dual is better than single, IMO).

It grabbed the file that it previously missed.  So set my request to
delete :)

Thanks, Julian.

ps.  You rock, man!



>>> mailscanner at ECS.SOTON.AC.UK 3/24/2004 12:06:58 PM >>>
At 17:10 24/03/2004, you wrote:
>Julian Field wrote:
> > There are whole rafts of Denial of Service attacks that can be
> > launched this way, I am very wary of unpacking anything unless I
> > really need to. But using the file command to find zip files
instead
> > of looking at the name is not a bad idea. It would be slower
though
> > as it would need to be run on every message batch. Let me have a
> > think and see if I can make it do it as part of the filetype
trapping
> > code, so the overhead would be minimal.
> >
> > And then there is the chicken and egg situation Kevin has
> > just mentioned...
>
>Just looking through the magic file that the file command uses it may
be
>fairly trivial to spot zip files without running the file command.
It
>seems the first four bytes are PK\003\004 the following byte
represents
>the version number currently 0x09 0x0a 0x0b or 0x14 (versions 0.9,
1.0,
>1.1 and 2.0 respectively - it seems the byte value is the version
number x 10).
>
>Anyway my point is that zip files could be spotted by looking at the
first
>4 or 5 bytes of the file.

I don't particularly like the idea of duplicating "file"s job, it
smacks of
ugliness.
But it may turn out to be the easiest way to go.
Hopefully the PK^C^D sequence won't change.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654