quarantine attachments & Dangerous content

Rick Chadderdon mailscanner at yeticomputers.com
Thu Aug 10 15:40:43 IST 2006 

Perhaps password-protected zip files are identified as silent viruses?  
The settings to look at are:

# Do you want to store copies of the infected attachments and messages?
# This can also be the filename of a ruleset.
Quarantine Infections = yes

# There is no point quarantining most viruses these days as the infected
# messages contain no useful content, so if you set this to "no" then no
# infections listed in your "Silent Viruses" setting will be quarantined,
# even if you have chosen to quarantine infections in general. This is
# currently set to "yes" so the behaviour is the same as it was in
# previous versions.
# This can also be the filename of a ruleset.
Quarantine Silent Viruses = no

With these settings, if password-protected files are recognized as 
silent viruses they will not be stored.  This section handles what is 
treated as a silent virus:

# Strings listed here will be searched for in the output of the virus 
scanners.
# It is used to list which viruses should be handled differently from other
# viruses. If a virus name is given here, then
# 1) The sender will not be warned that he sent it
# 2) No attempt at true disinfection will take place
#    (but it will still be "cleaned" by removing the nasty attachments
#     from the message)
# 3) The recipient will not receive the message,
#    unless the "Still Deliver Silent Viruses" option is set
# Other words that can be put in this list are the 5 special keywords
#    HTML-IFrame   : inserting this will stop senders being warned about
#                    HTML Iframe tags, when they are not allowed.
#    HTML-Codebase : inserting this will stop senders being warned about
#                    HTML Object Codebase/Data tags, when they are not 
allowed.
#    HTML-Script   : inserting this will stop senders being warned about
#                    HTML Script tags, when they are not allowed.
#    HTML-Form     : inserting this will stop senders being warned about
#                    HTML Form tags, when they are not allowed.
#    Zip-Password  : inserting this will stop senders being warned about
#                    password-protected zip files, when they are not 
allowed.
#                    This keyword is not needed if you include All-Viruses.
#    All-Viruses   : inserting this will stop senders being warned about
#                    any virus, while still allowing you to warn senders
#                    about HTML-based attacks. This includes Zip-Password
#                    so you don't need to include both.
#
# The default of "All-Viruses" means that no senders of viruses will be
# notified (as the sender address is always forged these days anyway),
# but anyone who sends a message that is blocked for other reasons will
# still be notified.
#
# This can also be the filename of a ruleset.
Silent Viruses = HTML-IFrame All-Viruses

Hope this helps.

Rick

James D. Parra wrote:
> Hello,
>
> In my past installs of mailscanner, attachments considered 'suspect' for any
> various reason were put into quarantine for later retrieval. In the most
> recent install I made, these items are instead being deleted from the e-mail
> message with a note in the e-mail stating that attachment was removed. For
> example;
>
> The content filters found this:
>    MailScanner: Message contained password-protected archive
>
> Where in the MailScanner.conf can I specify to have suspect attachments
> stored or quarantined and *not* deleted. If it is not in the
> mailscanner.conf file is the setting in another config file? 
>
> Many thanks,
>
> James 
>

More information about the MailScanner mailing list