stopping clamav detecting encrypted zip files

Glenn Steen glenn.steen at gmail.com
Fri Apr 20 10:21:02 IST 2007


On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
> > Steen
> > Sent: 19 April 2007 19:35
> > To: MailScanner discussion
> > Subject: Re: stopping clamav detecting encrypted zip files
> >
> >
> > On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > > -----Original Message-----
> > > > From: mailscanner-bounces at lists.mailscanner.info
> > > > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
> > > > Steen
> > > > Sent: 19 April 2007 14:33
> > > > To: MailScanner discussion
> > > > Subject: Re: stopping clamav detecting encrypted zip files
> > > >
> > > >
> > > > On 05/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
> > > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote:
> > > > > > Gareth wrote:
> > > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote:
> > > > > > >
> > > > > > >> Are you using the clamavmodule?  I've had the same
> > > > problem.  There's a
> > > > > > >> commandline switch to turn that notice if when using
> > > > clamscan, but not
> > > > > > >> with the module.  I'd suggested earlier that someone
> > > > should add code for
> > > > > > >> clamav, like the code for Sophos that allows you to
> > > > specify messages to
> > > > > > >> ignore.
> > > > > > >
> > > > > > > I think its a bug in Mailscanner. There appears to be code
> > > > in place in
> > > > > > > the routine which calls clamavmodule which disables blocking of
> > > > > > > encrypted files if there is a config option 'allowpasszips'
> > > > set but I
> > > > > > > cannot find that option.
> > > > > > >
> > > > > > > Anyway below is a diff which disables blocking of
> > encrypted archives
> > > > > > > which is working fine for me.
> > > > > > >
> > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm
> > > > > > > 1069c1069
> > > > > > > <
> > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
> > > > > > > |
> > > > > > > ---
> > > > > > >> #
> > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
> > > > > > > |
> > > > > >
> > > > > > [Quoting Julian from 07/20/2005]
> > > > > > If you have MailScanner set to allow password-protected
> > zip and rar
> > > > > > archives, then this option is disabled. If you have it
> > set to block
> > > > > > password-protected archives, then this option is enabled.
> > > > > > [Quoting Julian from 07/20/2005]
> > > > > >
> > > > > > See this thread:
> > > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201
> > > > >
> > > > > Thanks. I wanted Mailscanner to block encrypted archives
> > which it does
> > > > > well by itself but not to tell clamav to identify encrypted
> > archives as
> > > > > viruses.
> > > > >
> > > > It's Ruleset Time:
> > > > You want MailScanner to block the initial message, hence you want a
> > > > default of "yes" in the ruleset, but not when releasing from
> > > > quarantine... so ... since this will likely be released from
> > > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan
> > > > Message) for that IP address. Problem solved:-).
> > > >
> > > > Cheers
> > > > --
> > > > -- Glenn
> > >
> > > Please read my question again. The problem was mailwatch not
> > allowing the
> > > file to be released from quaranteen because it was identified
> > as a virus.
> > > Not the fact that a released message was being re-quaranteened
> > which your
> > > answer would refer to.
> > >
> > Ah... Sorry for the sloppy reading, been on vacation.... not turned on
> > brain, such as that is, yet:-).
> > What you are really "griping" about is the default behaviour of MW to
> > not let you release (some) harmful content (by not including the
> > necessary checkboxes:). I do beleive Aaron mentioned how to get around
> > it... And it shouldn't be hard at all to modify MW to accomodate your
> > idea about letting admin do that. Or simply release the file from a
> > commandline (I'm pretty confident you know your way around that enough
> > to manage;-). If your aim is users releasing this file themselves....
> > this moght be slightly more problematic.
> > As I'm sure you realise, one "solution" is to allow encrypted
> > archives, bad as that may seem.... Or switch to clamscan, where that
> > is more readily settable.
> >
> > Cheers
> > --
> > -- Glenn
>
> I did manage to get it working as I wanted it by editing the perl code which
> calls clamavmodule so that password protected archives were not classed as a
> virus. That leaves it down to mailscanner to detect itself which then as it
> is just classed as a blocked attackment and not a virus allows mailwatch to
> release it.
>
> I have the patch togeter with a few other customisations I have made
> detailed on my webpage :-
> http://www.gbnetwork.co.uk/mailscanner/index.html
>
Ah great. Perhaps when Jules is better he'll grace us with yet another
config option for this:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list