Maximum Archive Depth trouble

Tal Kelrich tal at MUSICGENOME.COM
Tue May 11 10:08:14 IST 2004 

On Mon, 10 May 2004 10:43:58 -0500
Alex Neuman <alex at nkpanama.com> wrote:

> Then your /usr/bin/file command is reporting the wrong thing. Try
> disabling it by placing a # before the file command:
>
> File Command = # /usr/bin/file
>
> And see what that gets you. You lose the functionality of "knowing"
> what a file is even if the extensions change.

That's not really the issue,  it _is_ identifying the files correctly (which catches new viruses nicely).
my problems are:
A. MS scanning beyond the set depth, and
B. MS automatically rejecting everything nested beyond that depth.

I need to allow my users some way to bypass the filename/filetype checks, and as far as I could understand from the config file comment setting the depth to 1 should have done the trick.
(perhaps there should be a setting to disable the deeply nested files check?)

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Tal Kelrich
> Sent: Monday, May 10, 2004 10:38 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Maximum Archive Depth trouble
>
>
> On Mon, 10 May 2004 10:30:39 -0500
> Alex Neuman <alex at nkpanama.com> wrote:
>
> > Did you restart MailScanner so that the new setting would be picked
> > up?
> >
> Yes, I did. It's actually been set that way for a longish time.
> > Is your "file" command reporting the exes incorrectly?
> file is working.
> > In MailScanner.conf, what does your:
> >
> > File Command =
> >
> > .. look like?
>
> File Command = /usr/bin/file
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
> > On Behalf Of Tal Kelrich
> > Sent: Monday, May 10, 2004 10:22 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Maximum Archive Depth trouble
> >
> >
> > Hello,
> >
> > I'm having some problems with the current version of
> > MailScanner(4.30.3). MS seems to be unpacking beyond the value set
> > in Maximum Archive Depth.
> >
> > I have Maximum Archive Depth set to 1, a double packed (or triple
> > packed) exe file will not pass.
> >
> > I'm also seeing the "deeply nested archive" message for most zipped
> > viruses.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> >         Tal Kelrich
> >
> >
> > Here's a log snippet for the double packed:
> >
> > May 10 13:55:48 mail MailScanner[6497]: New Batch: Scanning 1
> > messages, 2402 bytes May 10 13:55:50 mail MailScanner[6497]: Spam
> > Checks: Starting May 10 13:55:51 mail MailScanner[6497]: Files
> > hidden in very deeply nested archive in i4AAtj706518 May 10 13:55:51
> > mail MailScanner[6497]: Filename
> > Checks: Windows/DOS Executable (i4AAtj706518 test.exe) May 10
> > 13:55:51 mail MailScanner[6497]: Filetype Checks: No executables
> > (i4AAtj706518 test.exe) May 10 13:55:51 mail MailScanner[6497]:
> > Other Checks: Found 2 problems May 10 13:55:51 mail
> > MailScanner[6497]: Saved entire message
> > to/var/spool/MailScanner/quarantine/20040510/i4AAtj706518 May 10
> > 13:55:51 mail MailScanner[6497]: Saved infected "test1.zip"
> > to/var/spool/MailScanner/quarantine/20040510/i4AAtj706518 May 10
> > 13:55:51 mail MailScanner[6497]: Saved infected "test.exe"
> > to/var/spool/MailScanner/quarantine/20040510/i4AAtj706518
> >
> > Here's one for the triple packed:
> >
> > May 10 13:32:50 mail MailScanner[2532]: New Batch: Scanning 1
> > messages, 2538 bytes May 10 13:32:50 mail MailScanner[2532]: Spam
> > Checks: Starting May 10 13:32:50 mail MailScanner[2532]: Files
> > hidden in very deeply nested archive in i4AAWll03696 May 10 13:32:50
> > mail MailScanner[2532]: Virus and Content Scanning: Starting May 10
> > 13:32:50 mail MailScanner[2532]: Saved entire message to
> > /var/spool/MailScanner/quarantine/20040510/i4AAWll03696
>


--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69
Key Available at: http://www.hasturkun.com/pub.txt
----
You are in a maze of little twisting passages, all alike.
----

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list