deny cabinet files?

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jul 8 16:01:08 IST 2005 

I have added the -cab option to the command line for Sophos.

On 8 Jul 2005, at 14:57, Jeff A. Earickson wrote:

> Hi,
>    I keep the attached little script around to use in case I want
> to run file thru my virus scanners by hand.  Unless it is out-of-date,
> it mimics the arguments used by MailScanner for checking an  
> attachment.
>
> I read the manpage for sweep and noted the -cab option AND the fact
> that -archive does not include .cab files.  Yikes.  Maybe this option
> needs to be added to the MailScanner invocation of sweep.
>
> I added -cab to sweep and ran the suspicious file thru Sophos again.
> Still no complaints about the file.  It has been submitted to Sophos
> and Clam for analysis.
>
> Jeff Earickson
> Colby College
>
> On Fri, 8 Jul 2005, Aaron K. Moore wrote:
>
>
>> Date: Fri, 8 Jul 2005 08:42:55 -0500
>> From: Aaron K. Moore <amoore at DEKALBMEMORIAL.COM>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: deny cabinet files?
>> Sophos will scan them if you use the -cab switch on the command line.
>>
>> -- 
>> Aaron Kent Moore
>> Information Technology Services
>> DeKalb Memorial Hospital, Inc.
>> Auburn, IN
>> Phone:  260.920.2808
>> E-mail:  amoore at dekalbmemorial.com
>>
>> Julian Field wrote:
>>
>>> Good point, it's a format that I expect many virus scanners miss.  
>>> And
>>> Windows users have in-built support for opening them too, IIRC.
>>>
>>> I'll add that rule to the default set of rules I supply.
>>>
>>> On 8 Jul 2005, at 13:53, Jeff A. Earickson wrote:
>>>
>>>
>>>> Julian,
>>>>
>>>> I got a suspicious email today with a .cab file attachment.
>>>> I've submitted the file to clam, but this inspired me to
>>>> add the following rule to filename.rules.conf:
>>>>
>>>> deny\t\.cab$\tPossible malicious cabinet file\tCompressed cabinet
>>>> files may hide viruses
>>>>
>>>> \t for real tabs here.  I googled and checked Microsoft's
>>>> website and see no positive use for an emailed .cab file.
>>>> Anybody else seen this?

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list