filename rules inside of an archive
Michael Caplan
worker at MOMPOPMEDIA.COM
Thu Sep 9 19:23:50 IST 2004
<x-flowed>
Hi Jeff,
>it??? Rather than making an entire separate ruleset for checking
>archives, how about an on/off toggle for archive filename/filetype
>checking (this will keep the virus checking for archives).
>
>
>
Isn't this what Maximum Archive Depth = 0 does already? I think what I
ma getting at is a separate ruleset for archives.
Michael
>Jeff Graves, MCSA
>Customer Support Engineer
>Image Source, Inc.
>10 Mill Street
>Bellingham, MA 02019
>
>508.966.5200 - Phone
>508.966.5170 - Fax
>jeff at image-src.com - Email
>www.image-src.com
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Michael Caplan
>Sent: Thursday, September 09, 2004 1:01 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: filename rules inside of an archive
>
>
>Hi Julian,
>
>Thanks for the prompt answer. While I agree with your interested in
>avoiding unnecessary code bloat I'd like to try and bounce an argument
>(sorry if it is a tried argument) of why such a feature is an important
>one that benefits consideration.
>
>With the servers I run, and I am sure this scenario plays out with many
>other environments other than my own, it is important to deny certain
>filenames in one scenario (a plain .exe attachment), bot not another (an
>.exe zipped up). It is agreed that an executable file is dangerous as a
>plain attachment, but rolled into a zip, an .exe does not pose the same
>threat. Also, it comes up on many occasions that a client needs to
>transmit an otherwise denied file as a legitimate attachment.
>
>One option is deliberately renaming a file extension as a means to get
>around this, but this creates a level of complexity for the user, and
>also MailScanner attempts (as far as I understand) to isolate improperly
>named files using the "file" command anyhow (invalidating this
>approach). This leaves no other solution other than turning off archive
>filename checks with Maximum Archive Depth = 0. This is not such a good
>solution as it then opens up an insecure door (how many of you are
>getting zips with malicious .pifs throughout the day?)
>
>All said, I see two equally important scenarios in which different rule
>sets should be applied to attachments and attached archives.
>
>Or, perhaps I am looking at the problem wrong....?
>
>Thanks,
>
>Michael
>
>
>Julian Field wrote:
>
>
>
>>At 16:41 09/09/2004, you wrote:
>>
>>
>>
>>>Hi,
>>>
>>>I'm pretty new to MailScanner and its wonderful ways. I hope this
>>>question is not a tired one:
>>>
>>>I need to configure MailScanner so that it will check the contents of
>>>all archives against filename.rules.conf (as it does by default),
>>>
>>>
>except
>
>
>>>I need to make an exception for zip file contents. In
>>>filename.rules.conf I have .exe files banned. I want to allow them
>>>
>>>
>to
>
>
>>>pass in .zip files, provided that they pass my virus scanner
>>>
>>>
>(ClamAV).
>
>
>>>For the time being I set Maximum Archive Depth = 0 in order to avoid
>>>filename checks in Zips outright (a bad temp solution). How would
>>>
>>>
>one
>
>
>>>go about such a setup (if it is possible)?
>>>
>>>
>>Sorry, the "Maximum Archive Depth=0" is the best solution. I
>>
>>
>contemplated
>
>
>>adding a second entire set of filename and filetype rules, for
>>
>>
>checking
>
>
>>against archive contents. However, it was agreed at the time that so
>>
>>
>few
>
>
>>people would actually want to be able to do this that it would just
>>
>>
>add
>
>
>>confusion without adding much extra useful functionality.
>>
>>I want to make MailScanner flexible, but if I add too much
>>
>>
>configuration
>
>
>>then people just don't understand how to use it and the extra
>>
>>
>flexibility
>
>
>>is never used. How many people know how to change the font used it
>>
>>
>"Ok"
>
>
>>buttons in Xt applications? Yes, you can do it, someone may need to,
>>
>>
>but
>
>
>>no-one ever does use the fine-grained configuration in X applications
>>because it is too darned hard and no-one understands how it works.
>>
>>Also, more configuration options = more code to execute = slower :-(
>>--
>>Julian Field
>>www.MailScanner.info
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>>
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>
>
>
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>
More information about the MailScanner
mailing list