deny cabinet files?

Julian Field MailScanner at
Fri Jul 8 16:01:08 IST 2005

I have added the -cab option to the command line for Sophos.

On 8 Jul 2005, at 14:57, Jeff A. Earickson wrote:

> Hi,
>    I keep the attached little script around to use in case I want
> to run file thru my virus scanners by hand.  Unless it is out-of-date,
> it mimics the arguments used by MailScanner for checking an  
> attachment.
> I read the manpage for sweep and noted the -cab option AND the fact
> that -archive does not include .cab files.  Yikes.  Maybe this option
> needs to be added to the MailScanner invocation of sweep.
> I added -cab to sweep and ran the suspicious file thru Sophos again.
> Still no complaints about the file.  It has been submitted to Sophos
> and Clam for analysis.
> Jeff Earickson
> Colby College
> On Fri, 8 Jul 2005, Aaron K. Moore wrote:
>> Date: Fri, 8 Jul 2005 08:42:55 -0500
>> From: Aaron K. Moore <amoore at DEKALBMEMORIAL.COM>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> Subject: Re: deny cabinet files?
>> Sophos will scan them if you use the -cab switch on the command line.
>> -- 
>> Aaron Kent Moore
>> Information Technology Services
>> DeKalb Memorial Hospital, Inc.
>> Auburn, IN
>> Phone:  260.920.2808
>> E-mail:  amoore at
>> Julian Field wrote:
>>> Good point, it's a format that I expect many virus scanners miss.  
>>> And
>>> Windows users have in-built support for opening them too, IIRC.
>>> I'll add that rule to the default set of rules I supply.
>>> On 8 Jul 2005, at 13:53, Jeff A. Earickson wrote:
>>>> Julian,
>>>> I got a suspicious email today with a .cab file attachment.
>>>> I've submitted the file to clam, but this inspired me to
>>>> add the following rule to filename.rules.conf:
>>>> deny\t\.cab$\tPossible malicious cabinet file\tCompressed cabinet
>>>> files may hide viruses
>>>> \t for real tabs here.  I googled and checked Microsoft's
>>>> website and see no positive use for an emailed .cab file.
>>>> Anybody else seen this?

Julian Field
Buy the MailScanner book at
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list