filename rules inside of an archive

Michael Caplan worker at MOMPOPMEDIA.COM
Thu Sep 9 19:54:53 IST 2004


<x-flowed>
Huh.  My original assumption was that MailScanner piped the archive over
to the resident AV scanner regardless of Maximum Archive Depth = 0.  I
thought that meant that the filename rules was circumvented.

I just went through some archives that made it through MailScanner
because of Maximum Archive Depth = 0 and ran them against ClamAV (which
is the AV tied into MailScanner on my machine).  Assumption wrong.  All
the files where infected.  Wow, that's pretty troubling.

So Maximum Archive Depth = 0 really means that all archives are ignored
entirely?!?  I fail to see what the point of such a feature is then.
Can someone explain?  Is there ever a scenario where you would want
MailScanner not to scan archives for viruses?  (if that is the case, why
bother scanning any attachment then, considering that many viruses these
days are packed into zips?)

Thanks,

Michael

Jeff Graves wrote:

>I thought that setting it to 0 would also turn off virus checking...
>
>Jeff Graves, MCSA
>Customer Support Engineer
>Image Source, Inc.
>10 Mill Street
>Bellingham, MA 02019
>
>508.966.5200 - Phone
>508.966.5170 - Fax
>jeff at image-src.com - Email
>www.image-src.com
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Michael Caplan
>Sent: Thursday, September 09, 2004 2:24 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: filename rules inside of an archive
>
>
>Hi Jeff,
>
>
>
>
>>it??? Rather than making an entire separate ruleset for checking
>>archives, how about an on/off toggle for archive filename/filetype
>>checking (this will keep the virus checking for archives).
>>
>>
>>
>>
>>
>Isn't this what Maximum Archive Depth = 0 does already?  I think what I
>ma getting at is a separate ruleset for archives.
>
>
>
>Michael
>
>
>
>
>
>>Jeff Graves, MCSA
>>Customer Support Engineer
>>Image Source, Inc.
>>10 Mill Street
>>Bellingham, MA 02019
>>
>>508.966.5200 - Phone
>>508.966.5170 - Fax
>>jeff at image-src.com - Email
>>www.image-src.com
>>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>Behalf Of Michael Caplan
>>Sent: Thursday, September 09, 2004 1:01 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: filename rules inside of an archive
>>
>>
>>Hi Julian,
>>
>>Thanks for the prompt answer.  While I agree with your interested in
>>avoiding unnecessary code bloat I'd like to try and bounce an argument
>>(sorry if it is a tried argument) of why such a feature is an important
>>one that benefits consideration.
>>
>>With the servers I run, and I am sure this scenario plays out with many
>>other environments other than my own, it is important to deny certain
>>filenames in one scenario (a plain .exe attachment), bot not another
>>
>>
>(an
>
>
>>.exe zipped up).  It is agreed that an executable file is dangerous as
>>
>>
>a
>
>
>>plain attachment, but rolled into a zip, an .exe does not pose the same
>>threat.  Also, it comes up on many occasions that a client needs to
>>transmit an otherwise denied file as a legitimate attachment.
>>
>>One option is deliberately renaming a file extension as a means to get
>>around this, but this creates a level of complexity for the user, and
>>also MailScanner attempts (as far as I understand) to isolate
>>
>>
>improperly
>
>
>>named files using the "file" command anyhow (invalidating this
>>approach).  This leaves no other solution other than turning off
>>
>>
>archive
>
>
>>filename checks with Maximum Archive Depth = 0.  This is not such a
>>
>>
>good
>
>
>>solution as it then opens up an insecure door (how many of you are
>>getting zips with malicious .pifs throughout the day?)
>>
>>All said, I see two equally important scenarios in which different rule
>>sets should be applied to attachments and attached archives.
>>
>>Or, perhaps I am looking at the problem wrong....?
>>
>>Thanks,
>>
>>Michael
>>
>>
>>Julian Field wrote:
>>
>>
>>
>>
>>
>>>At 16:41 09/09/2004, you wrote:
>>>
>>>
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>I'm pretty new to MailScanner and its wonderful ways.  I hope this
>>>>question is not a tired one:
>>>>
>>>>I need to configure MailScanner so that it will check the contents of
>>>>all archives against filename.rules.conf (as it does by default),
>>>>
>>>>
>>>>
>>>>
>>except
>>
>>
>>
>>
>>>>I need to make an exception for zip file contents.  In
>>>>filename.rules.conf I have .exe files banned.  I want to allow them
>>>>
>>>>
>>>>
>>>>
>>to
>>
>>
>>
>>
>>>>pass in .zip files, provided that they pass my virus scanner
>>>>
>>>>
>>>>
>>>>
>>(ClamAV).
>>
>>
>>
>>
>>>>For the time being I set Maximum Archive Depth = 0 in order to avoid
>>>>filename checks in Zips outright (a bad temp solution).  How would
>>>>
>>>>
>>>>
>>>>
>>one
>>
>>
>>
>>
>>>>go about such a setup (if it is possible)?
>>>>
>>>>
>>>>
>>>>
>>>Sorry, the "Maximum Archive Depth=0" is the best solution. I
>>>
>>>
>>>
>>>
>>contemplated
>>
>>
>>
>>
>>>adding a second entire set of filename and filetype rules, for
>>>
>>>
>>>
>>>
>>checking
>>
>>
>>
>>
>>>against archive contents. However, it was agreed at the time that so
>>>
>>>
>>>
>>>
>>few
>>
>>
>>
>>
>>>people would actually want to be able to do this that it would just
>>>
>>>
>>>
>>>
>>add
>>
>>
>>
>>
>>>confusion without adding much extra useful functionality.
>>>
>>>I want to make MailScanner flexible, but if I add too much
>>>
>>>
>>>
>>>
>>configuration
>>
>>
>>
>>
>>>then people just don't understand how to use it and the extra
>>>
>>>
>>>
>>>
>>flexibility
>>
>>
>>
>>
>>>is never used. How many people know how to change the font used it
>>>
>>>
>>>
>>>
>>"Ok"
>>
>>
>>
>>
>>>buttons in Xt applications? Yes, you can do it, someone may need to,
>>>
>>>
>>>
>>>
>>but
>>
>>
>>
>>
>>>no-one ever does use the fine-grained configuration in X applications
>>>because it is too darned hard and no-one understands how it works.
>>>
>>>Also, more configuration options = more code to execute = slower :-(
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>Professional Support Services at www.MailScanner.biz
>>>MailScanner thanks transtec Computers for their support
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>
>>
>>
>>
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list