stopping clamav detecting encrypted zip files

Thu Apr 19 19:34:39 IST 2007

On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
> > Steen
> > Sent: 19 April 2007 14:33
> > To: MailScanner discussion
> > Subject: Re: stopping clamav detecting encrypted zip files
> >
> >
> > On 05/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote:
> > > > Gareth wrote:
> > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote:
> > > > >
> > > > >> Are you using the clamavmodule?  I've had the same
> > problem.  There's a
> > > > >> commandline switch to turn that notice if when using
> > clamscan, but not
> > > > >> with the module.  I'd suggested earlier that someone
> > should add code for
> > > > >> clamav, like the code for Sophos that allows you to
> > specify messages to
> > > > >> ignore.
> > > > >
> > > > > I think its a bug in Mailscanner. There appears to be code
> > in place in
> > > > > the routine which calls clamavmodule which disables blocking of
> > > > > encrypted files if there is a config option 'allowpasszips'
> > set but I
> > > > > cannot find that option.
> > > > >
> > > > > Anyway below is a diff which disables blocking of encrypted archives
> > > > > which is working fine for me.
> > > > >
> > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm
> > > > > 1069c1069
> > > > > <
> > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
> > > > > |
> > > > > ---
> > > > >> #
> > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
> > > > > |
> > > >
> > > > [Quoting Julian from 07/20/2005]
> > > > If you have MailScanner set to allow password-protected zip and rar
> > > > archives, then this option is disabled. If you have it set to block
> > > > password-protected archives, then this option is enabled.
> > > > [Quoting Julian from 07/20/2005]
> > > >
> > > > See this thread:
> > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201
> > >
> > > Thanks. I wanted Mailscanner to block encrypted archives which it does
> > > well by itself but not to tell clamav to identify encrypted archives as
> > > viruses.
> > >
> > It's Ruleset Time:
> > You want MailScanner to block the initial message, hence you want a
> > default of "yes" in the ruleset, but not when releasing from
> > quarantine... so ... since this will likely be released from
> > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan
> > Message) for that IP address. Problem solved:-).
> >
> > Cheers
> > --
> > -- Glenn
>
> Please read my question again. The problem was mailwatch not allowing the
> file to be released from quaranteen because it was identified as a virus.
> Not the fact that a released message was being re-quaranteened which your
> answer would refer to.
>
Ah... Sorry for the sloppy reading, been on vacation.... not turned on
brain, such as that is, yet:-).
What you are really "griping" about is the default behaviour of MW to
not let you release (some) harmful content (by not including the
necessary checkboxes:). I do beleive Aaron mentioned how to get around
it... And it shouldn't be hard at all to modify MW to accomodate your
idea about letting admin do that. Or simply release the file from a
commandline (I'm pretty confident you know your way around that enough
to manage;-). If your aim is users releasing this file themselves....
this moght be slightly more problematic.
As I'm sure you realise, one "solution" is to allow encrypted
archives, bad as that may seem.... Or switch to clamscan, where that
is more readily settable.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se