Maximum Archive Depth trouble

Julian Field mailscanner at ecs.soton.ac.uk
Tue May 11 10:18:13 IST 2004


Have you tried setting it to 0?

At 10:08 11/05/2004, you wrote:
>On Mon, 10 May 2004 10:43:58 -0500
>Alex Neuman <alex at nkpanama.com> wrote:
>
> > Then your /usr/bin/file command is reporting the wrong thing. Try
> > disabling it by placing a # before the file command:
> >
> > File Command = # /usr/bin/file
> >
> > And see what that gets you. You lose the functionality of "knowing"
> > what a file is even if the extensions change.
>
>That's not really the issue,  it _is_ identifying the files correctly
>(which catches new viruses nicely).
>my problems are:
>A. MS scanning beyond the set depth, and
>B. MS automatically rejecting everything nested beyond that depth.
>
>I need to allow my users some way to bypass the filename/filetype checks,
>and as far as I could understand from the config file comment setting the
>depth to 1 should have done the trick.
>(perhaps there should be a setting to disable the deeply nested files check?)
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > Behalf Of Tal Kelrich
> > Sent: Monday, May 10, 2004 10:38 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Maximum Archive Depth trouble
> >
> >
> > On Mon, 10 May 2004 10:30:39 -0500
> > Alex Neuman <alex at nkpanama.com> wrote:
> >
> > > Did you restart MailScanner so that the new setting would be picked
> > > up?
> > >
> > Yes, I did. It's actually been set that way for a longish time.
> > > Is your "file" command reporting the exes incorrectly?
> > file is working.
> > > In MailScanner.conf, what does your:
> > >
> > > File Command =
> > >
> > > .. look like?
> >
> > File Command = /usr/bin/file
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
> > > On Behalf Of Tal Kelrich
> > > Sent: Monday, May 10, 2004 10:22 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Maximum Archive Depth trouble
> > >
> > >
> > > Hello,
> > >
> > > I'm having some problems with the current version of
> > > MailScanner(4.30.3). MS seems to be unpacking beyond the value set
> > > in Maximum Archive Depth.
> > >
> > > I have Maximum Archive Depth set to 1, a double packed (or triple
> > > packed) exe file will not pass.
> > >
> > > I'm also seeing the "deeply nested archive" message for most zipped
> > > viruses.
> > >
> > > Any help would be appreciated.
> > >
> > > Thanks,
> > >         Tal Kelrich
> > >
> > >
> > > Here's a log snippet for the double packed:
> > >
> > > May 10 13:55:48 mail MailScanner[6497]: New Batch: Scanning 1
> > > messages, 2402 bytes May 10 13:55:50 mail MailScanner[6497]: Spam
> > > Checks: Starting May 10 13:55:51 mail MailScanner[6497]: Files
> > > hidden in very deeply nested archive in i4AAtj706518 May 10 13:55:51
> > > mail MailScanner[6497]: Filename
> > > Checks: Windows/DOS Executable (i4AAtj706518 test.exe) May 10
> > > 13:55:51 mail MailScanner[6497]: Filetype Checks: No executables
> > > (i4AAtj706518 test.exe) May 10 13:55:51 mail MailScanner[6497]:
> > > Other Checks: Found 2 problems May 10 13:55:51 mail
> > > MailScanner[6497]: Saved entire message
> > > to/var/spool/MailScanner/quarantine/20040510/i4AAtj706518 May 10
> > > 13:55:51 mail MailScanner[6497]: Saved infected "test1.zip"
> > > to/var/spool/MailScanner/quarantine/20040510/i4AAtj706518 May 10
> > > 13:55:51 mail MailScanner[6497]: Saved infected "test.exe"
> > > to/var/spool/MailScanner/quarantine/20040510/i4AAtj706518
> > >
> > > Here's one for the triple packed:
> > >
> > > May 10 13:32:50 mail MailScanner[2532]: New Batch: Scanning 1
> > > messages, 2538 bytes May 10 13:32:50 mail MailScanner[2532]: Spam
> > > Checks: Starting May 10 13:32:50 mail MailScanner[2532]: Files
> > > hidden in very deeply nested archive in i4AAWll03696 May 10 13:32:50
> > > mail MailScanner[2532]: Virus and Content Scanning: Starting May 10
> > > 13:32:50 mail MailScanner[2532]: Saved entire message to
> > > /var/spool/MailScanner/quarantine/20040510/i4AAWll03696
> >
>
>
>--
>Tal Kelrich
>PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69
>Key Available at: http://www.hasturkun.com/pub.txt
>----
>You are in a maze of little twisting passages, all alike.
>----
>
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list