stopping clamav detecting encrypted zip files

Gareth list-mailscanner at linguaphone.com
Thu Apr 19 22:00:04 IST 2007


> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
> Steen
> Sent: 19 April 2007 19:35
> To: MailScanner discussion
> Subject: Re: stopping clamav detecting encrypted zip files
>
>
> On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > -----Original Message-----
> > > From: mailscanner-bounces at lists.mailscanner.info
> > > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
> > > Steen
> > > Sent: 19 April 2007 14:33
> > > To: MailScanner discussion
> > > Subject: Re: stopping clamav detecting encrypted zip files
> > >
> > >
> > > On 05/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote:
> > > > > Gareth wrote:
> > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote:
> > > > > >
> > > > > >> Are you using the clamavmodule?  I've had the same
> > > problem.  There's a
> > > > > >> commandline switch to turn that notice if when using
> > > clamscan, but not
> > > > > >> with the module.  I'd suggested earlier that someone
> > > should add code for
> > > > > >> clamav, like the code for Sophos that allows you to
> > > specify messages to
> > > > > >> ignore.
> > > > > >
> > > > > > I think its a bug in Mailscanner. There appears to be code
> > > in place in
> > > > > > the routine which calls clamavmodule which disables blocking of
> > > > > > encrypted files if there is a config option 'allowpasszips'
> > > set but I
> > > > > > cannot find that option.
> > > > > >
> > > > > > Anyway below is a diff which disables blocking of
> encrypted archives
> > > > > > which is working fine for me.
> > > > > >
> > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm
> > > > > > 1069c1069
> > > > > > <
> > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
> > > > > > |
> > > > > > ---
> > > > > >> #
> > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
> > > > > > |
> > > > >
> > > > > [Quoting Julian from 07/20/2005]
> > > > > If you have MailScanner set to allow password-protected
> zip and rar
> > > > > archives, then this option is disabled. If you have it
> set to block
> > > > > password-protected archives, then this option is enabled.
> > > > > [Quoting Julian from 07/20/2005]
> > > > >
> > > > > See this thread:
> > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201
> > > >
> > > > Thanks. I wanted Mailscanner to block encrypted archives
> which it does
> > > > well by itself but not to tell clamav to identify encrypted
> archives as
> > > > viruses.
> > > >
> > > It's Ruleset Time:
> > > You want MailScanner to block the initial message, hence you want a
> > > default of "yes" in the ruleset, but not when releasing from
> > > quarantine... so ... since this will likely be released from
> > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan
> > > Message) for that IP address. Problem solved:-).
> > >
> > > Cheers
> > > --
> > > -- Glenn
> >
> > Please read my question again. The problem was mailwatch not
> allowing the
> > file to be released from quaranteen because it was identified
> as a virus.
> > Not the fact that a released message was being re-quaranteened
> which your
> > answer would refer to.
> >
> Ah... Sorry for the sloppy reading, been on vacation.... not turned on
> brain, such as that is, yet:-).
> What you are really "griping" about is the default behaviour of MW to
> not let you release (some) harmful content (by not including the
> necessary checkboxes:). I do beleive Aaron mentioned how to get around
> it... And it shouldn't be hard at all to modify MW to accomodate your
> idea about letting admin do that. Or simply release the file from a
> commandline (I'm pretty confident you know your way around that enough
> to manage;-). If your aim is users releasing this file themselves....
> this moght be slightly more problematic.
> As I'm sure you realise, one "solution" is to allow encrypted
> archives, bad as that may seem.... Or switch to clamscan, where that
> is more readily settable.
>
> Cheers
> --
> -- Glenn

I did manage to get it working as I wanted it by editing the perl code which
calls clamavmodule so that password protected archives were not classed as a
virus. That leaves it down to mailscanner to detect itself which then as it
is just classed as a blocked attackment and not a virus allows mailwatch to
release it.

I have the patch togeter with a few other customisations I have made
detailed on my webpage :-
http://www.gbnetwork.co.uk/mailscanner/index.html



More information about the MailScanner mailing list