zero byte exe files filling quarantine, help!!

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 30 17:11:00 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Will 1 configuration setting do, like this:

Notify Senders Of Too Large Or Too Small Attachments = yes or no

You don't really need separate configurations for too large and too 
small do you? Please say no :-)

Jules.

Denis Beauchemin wrote:
> Drew Marshall a écrit :
>> On Tue, January 30, 2007 14:28, Jeff A. Earickson wrote:
>>  
>>> Gang,
>>>
>>> I'm running beta version 4.58.7, and I've noticed this morning that a
>>>     
>> ton of stuff is getting dumped into my MailScanner quarantine
>>  
>>> directory.  Everything that ends up there is a zero-byte exe
>>> file like "postcard.exe" or "Greeting Card.exe" (virus?), that
>>> generates a quarantine message back to the sender.  These quarantine
>>>     
>> message will make MailScanner look **bad**.  Version 4.57.7 does this
>> too.  Running sophos 4.14 and the latest clam.
>>  
>>> The only quick fix I could think of was to change "Quarantine
>>>     
>> Infections"
>>  
>>> from yes to no.  Anybody else seeing this issue??
>>>     
>>
>> I found this issue a while a go and Jason Desai was able to provide a 
>> fix:
>>
>> ---- Quote ----
>> Sorry for the late reply - still catching up on the list.  I just dealt
>> with this recently.  Here's what I did.  I modified languages.conf,
>> changing AttachmentTooSmall to be "Attachment is too small (too-small)".
>> For completeness, I changed AttachmentTooLarge in the same way.  Then I
>> modified MailScanner.conf, and added "too-small" to the list of Silent
>> Viruses.  This seems to prevent notifications.  You don't have to use
>> "too-small", you could use some other string which has no spaces in
>> AttachmentTooSmall and Silent Viruses.
>>
>> ----Quote Ends -----
>>
>> The small files then get treated like viruses rather than invalid file
>> types so you can then play games with silent viruses and quarantine rule
>> sets etc.
>>
>> HTH
>>
>> Drew
>>
>>
>>
>>   
> This looks interesting.  I had already written an SA rule that seems 
> to catch most of them:
> describe UDES_GREET01  Virus often with zero-byte file
> full     UDES_GREET01  
> /filename=\"(greeting|Flash)?\s*(post\s*)?card\.exe\"/i
> score    UDES_GREET01  50
>
> Of  course it will also match legit files with the same name... but 
> since I already block EXEs, the only difference will be that people 
> will not receive a notification about a quarantined EXE with these names.
>
> Denis
>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654




-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFFv26nEfZZRxQVtlQRAnSwAJ9A013eZw6vH+VFFvEU8NZP27/4CACcD9vv
lV1e0e6sP/EVY2VFVeoq3D0=
=vM3U
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list