stopping clamav detecting encrypted zip files

Ugo Bellavance ugob at lubik.ca
Fri May 18 20:16:56 IST 2007


Glenn Steen wrote:
> On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>> > -----Original Message-----
>> > From: mailscanner-bounces at lists.mailscanner.info
>> > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
>> > Steen
>> > Sent: 19 April 2007 19:35
>> > To: MailScanner discussion
>> > Subject: Re: stopping clamav detecting encrypted zip files
>> >
>> >
>> > On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>> > > > -----Original Message-----
>> > > > From: mailscanner-bounces at lists.mailscanner.info
>> > > > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of 
>> Glenn
>> > > > Steen
>> > > > Sent: 19 April 2007 14:33
>> > > > To: MailScanner discussion
>> > > > Subject: Re: stopping clamav detecting encrypted zip files
>> > > >
>> > > >
>> > > > On 05/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>> > > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote:
>> > > > > > Gareth wrote:
>> > > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote:
>> > > > > > >
>> > > > > > >> Are you using the clamavmodule?  I've had the same
>> > > > problem.  There's a
>> > > > > > >> commandline switch to turn that notice if when using
>> > > > clamscan, but not
>> > > > > > >> with the module.  I'd suggested earlier that someone
>> > > > should add code for
>> > > > > > >> clamav, like the code for Sophos that allows you to
>> > > > specify messages to
>> > > > > > >> ignore.
>> > > > > > >
>> > > > > > > I think its a bug in Mailscanner. There appears to be code
>> > > > in place in
>> > > > > > > the routine which calls clamavmodule which disables 
>> blocking of
>> > > > > > > encrypted files if there is a config option 'allowpasszips'
>> > > > set but I
>> > > > > > > cannot find that option.
>> > > > > > >
>> > > > > > > Anyway below is a diff which disables blocking of
>> > encrypted archives
>> > > > > > > which is working fine for me.
>> > > > > > >
>> > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm
>> > > > > > > 1069c1069
>> > > > > > > <
>> > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
>> > > > > > > |
>> > > > > > > ---
>> > > > > > >> #
>> > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
>> > > > > > > |
>> > > > > >
>> > > > > > [Quoting Julian from 07/20/2005]
>> > > > > > If you have MailScanner set to allow password-protected
>> > zip and rar
>> > > > > > archives, then this option is disabled. If you have it
>> > set to block
>> > > > > > password-protected archives, then this option is enabled.
>> > > > > > [Quoting Julian from 07/20/2005]
>> > > > > >
>> > > > > > See this thread:
>> > > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201
>> > > > >
>> > > > > Thanks. I wanted Mailscanner to block encrypted archives
>> > which it does
>> > > > > well by itself but not to tell clamav to identify encrypted
>> > archives as
>> > > > > viruses.
>> > > > >
>> > > > It's Ruleset Time:
>> > > > You want MailScanner to block the initial message, hence you want a
>> > > > default of "yes" in the ruleset, but not when releasing from
>> > > > quarantine... so ... since this will likely be released from
>> > > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this 
>> on Scan
>> > > > Message) for that IP address. Problem solved:-).
>> > > >
>> > > > Cheers
>> > > > --
>> > > > -- Glenn
>> > >
>> > > Please read my question again. The problem was mailwatch not
>> > allowing the
>> > > file to be released from quaranteen because it was identified
>> > as a virus.
>> > > Not the fact that a released message was being re-quaranteened
>> > which your
>> > > answer would refer to.
>> > >
>> > Ah... Sorry for the sloppy reading, been on vacation.... not turned on
>> > brain, such as that is, yet:-).
>> > What you are really "griping" about is the default behaviour of MW to
>> > not let you release (some) harmful content (by not including the
>> > necessary checkboxes:). I do beleive Aaron mentioned how to get around
>> > it... And it shouldn't be hard at all to modify MW to accomodate your
>> > idea about letting admin do that. Or simply release the file from a
>> > commandline (I'm pretty confident you know your way around that enough
>> > to manage;-). If your aim is users releasing this file themselves....
>> > this moght be slightly more problematic.
>> > As I'm sure you realise, one "solution" is to allow encrypted
>> > archives, bad as that may seem.... Or switch to clamscan, where that
>> > is more readily settable.
>> >
>> > Cheers
>> > --
>> > -- Glenn
>>
>> I did manage to get it working as I wanted it by editing the perl code 
>> which
>> calls clamavmodule so that password protected archives were not 
>> classed as a
>> virus. That leaves it down to mailscanner to detect itself which then 
>> as it
>> is just classed as a blocked attackment and not a virus allows 
>> mailwatch to
>> release it.
>>
>> I have the patch togeter with a few other customisations I have made
>> detailed on my webpage :-
>> http://www.gbnetwork.co.uk/mailscanner/index.html
>>
> Ah great. Perhaps when Jules is better he'll grace us with yet another
> config option for this:-).

Anything new on this subject?

I also agree that we should have an option, or that clamav should never 
identify a passwd-zip as a virus.  The MS setting is there and at least, 
one can release it if MS stops it.

Ugo



More information about the MailScanner mailing list