deny cabinet files?

Jeff A. Earickson jaearick at COLBY.EDU
Fri Jul 8 14:57:37 IST 2005


Hi,
    I keep the attached little script around to use in case I want
to run file thru my virus scanners by hand.  Unless it is out-of-date,
it mimics the arguments used by MailScanner for checking an attachment.

I read the manpage for sweep and noted the -cab option AND the fact
that -archive does not include .cab files.  Yikes.  Maybe this option
needs to be added to the MailScanner invocation of sweep.

I added -cab to sweep and ran the suspicious file thru Sophos again.
Still no complaints about the file.  It has been submitted to Sophos
and Clam for analysis.

Jeff Earickson
Colby College

On Fri, 8 Jul 2005, Aaron K. Moore wrote:

> Date: Fri, 8 Jul 2005 08:42:55 -0500
> From: Aaron K. Moore <amoore at DEKALBMEMORIAL.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: deny cabinet files?
> 
> Sophos will scan them if you use the -cab switch on the command line.
>
> -- 
> Aaron Kent Moore
> Information Technology Services
> DeKalb Memorial Hospital, Inc.
> Auburn, IN
> Phone:  260.920.2808
> E-mail:  amoore at dekalbmemorial.com
>
> Julian Field wrote:
>> Good point, it's a format that I expect many virus scanners miss. And
>> Windows users have in-built support for opening them too, IIRC.
>>
>> I'll add that rule to the default set of rules I supply.
>>
>> On 8 Jul 2005, at 13:53, Jeff A. Earickson wrote:
>>
>>> Julian,
>>>
>>> I got a suspicious email today with a .cab file attachment.
>>> I've submitted the file to clam, but this inspired me to
>>> add the following rule to filename.rules.conf:
>>>
>>> deny\t\.cab$\tPossible malicious cabinet file\tCompressed cabinet
>>> files may hide viruses
>>>
>>> \t for real tabs here.  I googled and checked Microsoft's
>>> website and see no positive use for an emailed .cab file.
>>> Anybody else seen this?
>>>
>>> Jeff Earickson
>>> Colby College
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!
    [ Part 2, ""  Text/PLAIN (Name: "virus.scan")  15 lines. ]
    [ Unable to print this part. ]




More information about the MailScanner mailing list