stopping clamav detecting encrypted zip files

Julian Field MailScanner at ecs.soton.ac.uk
Fri May 18 20:42:19 IST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ugo Bellavance wrote:
> Glenn Steen wrote:
>> On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>>> > -----Original Message-----
>>> > From: mailscanner-bounces at lists.mailscanner.info
>>> > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Glenn
>>> > Steen
>>> > Sent: 19 April 2007 19:35
>>> > To: MailScanner discussion
>>> > Subject: Re: stopping clamav detecting encrypted zip files
>>> >
>>> >
>>> > On 19/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>>> > > > -----Original Message-----
>>> > > > From: mailscanner-bounces at lists.mailscanner.info
>>> > > > [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf 
>>> Of Glenn
>>> > > > Steen
>>> > > > Sent: 19 April 2007 14:33
>>> > > > To: MailScanner discussion
>>> > > > Subject: Re: stopping clamav detecting encrypted zip files
>>> > > >
>>> > > >
>>> > > > On 05/04/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>>> > > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote:
>>> > > > > > Gareth wrote:
>>> > > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote:
>>> > > > > > >
>>> > > > > > >> Are you using the clamavmodule?  I've had the same
>>> > > > problem.  There's a
>>> > > > > > >> commandline switch to turn that notice if when using
>>> > > > clamscan, but not
>>> > > > > > >> with the module.  I'd suggested earlier that someone
>>> > > > should add code for
>>> > > > > > >> clamav, like the code for Sophos that allows you to
>>> > > > specify messages to
>>> > > > > > >> ignore.
>>> > > > > > >
>>> > > > > > > I think its a bug in Mailscanner. There appears to be code
>>> > > > in place in
>>> > > > > > > the routine which calls clamavmodule which disables 
>>> blocking of
>>> > > > > > > encrypted files if there is a config option 'allowpasszips'
>>> > > > set but I
>>> > > > > > > cannot find that option.
>>> > > > > > >
>>> > > > > > > Anyway below is a diff which disables blocking of
>>> > encrypted archives
>>> > > > > > > which is working fine for me.
>>> > > > > > >
>>> > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm
>>> > > > > > > 1069c1069
>>> > > > > > > <
>>> > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
>>> > > > > > > |
>>> > > > > > > ---
>>> > > > > > >> #
>>> > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()
>>> > > > > > > |
>>> > > > > >
>>> > > > > > [Quoting Julian from 07/20/2005]
>>> > > > > > If you have MailScanner set to allow password-protected
>>> > zip and rar
>>> > > > > > archives, then this option is disabled. If you have it
>>> > set to block
>>> > > > > > password-protected archives, then this option is enabled.
>>> > > > > > [Quoting Julian from 07/20/2005]
>>> > > > > >
>>> > > > > > See this thread:
>>> > > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201
>>> > > > >
>>> > > > > Thanks. I wanted Mailscanner to block encrypted archives
>>> > which it does
>>> > > > > well by itself but not to tell clamav to identify encrypted
>>> > archives as
>>> > > > > viruses.
>>> > > > >
>>> > > > It's Ruleset Time:
>>> > > > You want MailScanner to block the initial message, hence you 
>>> want a
>>> > > > default of "yes" in the ruleset, but not when releasing from
>>> > > > quarantine... so ... since this will likely be released from
>>> > > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this 
>>> on Scan
>>> > > > Message) for that IP address. Problem solved:-).
>>> > > >
>>> > > > Cheers
>>> > > > --
>>> > > > -- Glenn
>>> > >
>>> > > Please read my question again. The problem was mailwatch not
>>> > allowing the
>>> > > file to be released from quaranteen because it was identified
>>> > as a virus.
>>> > > Not the fact that a released message was being re-quaranteened
>>> > which your
>>> > > answer would refer to.
>>> > >
>>> > Ah... Sorry for the sloppy reading, been on vacation.... not 
>>> turned on
>>> > brain, such as that is, yet:-).
>>> > What you are really "griping" about is the default behaviour of MW to
>>> > not let you release (some) harmful content (by not including the
>>> > necessary checkboxes:). I do beleive Aaron mentioned how to get 
>>> around
>>> > it... And it shouldn't be hard at all to modify MW to accomodate your
>>> > idea about letting admin do that. Or simply release the file from a
>>> > commandline (I'm pretty confident you know your way around that 
>>> enough
>>> > to manage;-). If your aim is users releasing this file themselves....
>>> > this moght be slightly more problematic.
>>> > As I'm sure you realise, one "solution" is to allow encrypted
>>> > archives, bad as that may seem.... Or switch to clamscan, where that
>>> > is more readily settable.
>>> >
>>> > Cheers
>>> > --
>>> > -- Glenn
>>>
>>> I did manage to get it working as I wanted it by editing the perl 
>>> code which
>>> calls clamavmodule so that password protected archives were not 
>>> classed as a
>>> virus. That leaves it down to mailscanner to detect itself which 
>>> then as it
>>> is just classed as a blocked attackment and not a virus allows 
>>> mailwatch to
>>> release it.
>>>
>>> I have the patch togeter with a few other customisations I have made
>>> detailed on my webpage :-
>>> http://www.gbnetwork.co.uk/mailscanner/index.html
>>>
>> Ah great. Perhaps when Jules is better he'll grace us with yet another
>> config option for this:-).
>
> Anything new on this subject?
>
> I also agree that we should have an option, or that clamav should 
> never identify a passwd-zip as a virus.  The MS setting is there and 
> at least, one can release it if MS stops it.
How about I just apply your patch and stop ClamAV blocking 
password-protected archives?

MailScanner itself can only detect password-protected zips, tars and 
rars (from memory), whereas ClamAV might well be able to detect 
passworded archives of more formats. But the others are very rare anyway 
so it probably isn't a problem. But I thought I should let you know.

Still want me to apply your patch?

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)
Charset: ISO-8859-1

wj8DBQFGTgG9EfZZRxQVtlQRAhSAAJ0VH6SWXyYaRxAzUWRJS8xHt+pXgwCeLSPm
KC+gaZdqOifvwXNf7vxGdiY=
=iezV
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list