MailScanner: Beta 4.36.1 released

[Rick Cooper]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Thursday, November 18, 2004 10:22 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: MailScanner: Beta 4.36.1 released
>
>
> I have just released the latest version 4.36.1.
> This is mostly to get everyone up to the same point in the development of
> the phishing net.
> It also adds support for RedHat Enterprise Server (and AS)
> version 4 beta 2.
>
<sniP

>
> The full Changelog is this:
>
> * New Features and Improvements *
> - Improved URL trimming in phishing net.
> - Various improvements and fixes in phishing net.
> - Added support for RedHat Enterprise Linux 4.
> - Added check for Password-Protected Archives setting when using
> clamavmodule.
>
> * Fixes *
> - Fixed outstanding problem in bitdefender-autoupdate, so that it works
>   properly on new installations.
> - Fixed logging problem with phishing net on a few malformed messages.
>

I was looking at the clamavmodule changes that check for a simple value for
the Password-Protected archives, and I have a suggestion (since it there is
no reasonable way to use a rule set here)

How about adding something like:

        if(MailScanner::Config::IsSimpleValue('allowpasszips')){
                my $AllowPasswd = MailScanner::Config::Value('allowpasszips');
        }else{
                my $AllowPasswd = 1;
        }

At the top of the ClamAVModule sub then change:

if (MailScanner::Config::Value('allowpasszips')) { # || $haverar) {

To

if ($AllowPasswd) { # || $haverar) {

This way if someone is using a rule file the action would change to allow so
no one loses an attachment. I think warning them in the log and defaulting
to "no", or taking away the ability to use rules is not a good solution. The
UnpackZip sub respects the rule sets and it's not fair to take away the
ability to use a rule set there just to ensure password protected RARs are
caught for all.

Or just remove the CL_SCAN_BLOCKENCRYPTED flag all together. The only reason
I made the suggestion was because MS doesn't include the UnpackRar sub,
which would catch the password protected RARs, respect the rules sets and
report the file as password protected (rather than as an infected file). I
thought adding the CL_SCAN_BLOCKENCRYPTED would allow other MS systems to at
least catch protected RARs, even though the internal file name processing
wouldn't take place.

Doesn't matter to me either way since my patched Message.pm includes
UnpackRar, and SweepVirues.pm includes the $haverar checks, so I never use
the CL_SCAN_BLOCKENCRYPTED flag anyway.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!