filename rules inside of an archive

Jeff Graves jeff at IMAGE-SRC.COM
Thu Sep 9 19:33:04 IST 2004


I thought that setting it to 0 would also turn off virus checking...

Jeff Graves, MCSA
Customer Support Engineer
Image Source, Inc.
10 Mill Street
Bellingham, MA 02019

508.966.5200 - Phone
508.966.5170 - Fax
jeff at image-src.com - Email
www.image-src.com

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Michael Caplan
Sent: Thursday, September 09, 2004 2:24 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: filename rules inside of an archive


Hi Jeff,


>it??? Rather than making an entire separate ruleset for checking
>archives, how about an on/off toggle for archive filename/filetype
>checking (this will keep the virus checking for archives).
>
>
>
Isn't this what Maximum Archive Depth = 0 does already?  I think what I
ma getting at is a separate ruleset for archives.



Michael



>Jeff Graves, MCSA
>Customer Support Engineer
>Image Source, Inc.
>10 Mill Street
>Bellingham, MA 02019
>
>508.966.5200 - Phone
>508.966.5170 - Fax
>jeff at image-src.com - Email
>www.image-src.com
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Michael Caplan
>Sent: Thursday, September 09, 2004 1:01 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: filename rules inside of an archive
>
>
>Hi Julian,
>
>Thanks for the prompt answer.  While I agree with your interested in
>avoiding unnecessary code bloat I'd like to try and bounce an argument
>(sorry if it is a tried argument) of why such a feature is an important
>one that benefits consideration.
>
>With the servers I run, and I am sure this scenario plays out with many
>other environments other than my own, it is important to deny certain
>filenames in one scenario (a plain .exe attachment), bot not another
(an
>.exe zipped up).  It is agreed that an executable file is dangerous as
a
>plain attachment, but rolled into a zip, an .exe does not pose the same
>threat.  Also, it comes up on many occasions that a client needs to
>transmit an otherwise denied file as a legitimate attachment.
>
>One option is deliberately renaming a file extension as a means to get
>around this, but this creates a level of complexity for the user, and
>also MailScanner attempts (as far as I understand) to isolate
improperly
>named files using the "file" command anyhow (invalidating this
>approach).  This leaves no other solution other than turning off
archive
>filename checks with Maximum Archive Depth = 0.  This is not such a
good
>solution as it then opens up an insecure door (how many of you are
>getting zips with malicious .pifs throughout the day?)
>
>All said, I see two equally important scenarios in which different rule
>sets should be applied to attachments and attached archives.
>
>Or, perhaps I am looking at the problem wrong....?
>
>Thanks,
>
>Michael
>
>
>Julian Field wrote:
>
>
>
>>At 16:41 09/09/2004, you wrote:
>>
>>
>>
>>>Hi,
>>>
>>>I'm pretty new to MailScanner and its wonderful ways.  I hope this
>>>question is not a tired one:
>>>
>>>I need to configure MailScanner so that it will check the contents of
>>>all archives against filename.rules.conf (as it does by default),
>>>
>>>
>except
>
>
>>>I need to make an exception for zip file contents.  In
>>>filename.rules.conf I have .exe files banned.  I want to allow them
>>>
>>>
>to
>
>
>>>pass in .zip files, provided that they pass my virus scanner
>>>
>>>
>(ClamAV).
>
>
>>>For the time being I set Maximum Archive Depth = 0 in order to avoid
>>>filename checks in Zips outright (a bad temp solution).  How would
>>>
>>>
>one
>
>
>>>go about such a setup (if it is possible)?
>>>
>>>
>>Sorry, the "Maximum Archive Depth=0" is the best solution. I
>>
>>
>contemplated
>
>
>>adding a second entire set of filename and filetype rules, for
>>
>>
>checking
>
>
>>against archive contents. However, it was agreed at the time that so
>>
>>
>few
>
>
>>people would actually want to be able to do this that it would just
>>
>>
>add
>
>
>>confusion without adding much extra useful functionality.
>>
>>I want to make MailScanner flexible, but if I add too much
>>
>>
>configuration
>
>
>>then people just don't understand how to use it and the extra
>>
>>
>flexibility
>
>
>>is never used. How many people know how to change the font used it
>>
>>
>"Ok"
>
>
>>buttons in Xt applications? Yes, you can do it, someone may need to,
>>
>>
>but
>
>
>>no-one ever does use the fine-grained configuration in X applications
>>because it is too darned hard and no-one understands how it works.
>>
>>Also, more configuration options = more code to execute = slower :-(
>>--
>>Julian Field
>>www.MailScanner.info
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>>
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list