FileType rules show executable even though file shows data --
Please help fix.
Peter Ong
peter.ong at hypermediasystems.com
Thu Jul 8 17:34:35 IST 2010
Hello Everyone,
I searched through my entire quarantine folder and grep'd for files named in this format msg-12341-1.txt. I scanned them with file and file -i. The following are the results.
I entered them into my filetype.conf.rules and it seems to work.
allow ASCII English text, with escape sequences text/plain; charset=us-ascii - -
allow ASCII text text/plain; charset=us-ascii - -
allow DOS executable text/plain; charset=iso-8859-1 - -
allow DOS executable text/plain; charset=unknown - -
allow DOS executable text/plain; charset=utf-8 - -
allow DOS executable text/x-mail; charset=unknown - -
allow DOS executable text/x-mail; charset=utf-8 - -
allow HTML document text text/html - -
allow UTF-8 Unicode English text text/plain; charset=utf-8 - -
I tested that I'm not inadvertently letting DOS executables through, and it they remain blocked. It appears that when both 2/5 and 3/5 are true, they are a match and thus allowed through. If someone could verify that would be nice.
In the time when I didn't have a solution, I changed the /usr/bin/file to /usr/bin/file -i just to alleviate the problem. But I think this one solves it, but I don't know whether this is the right way to do it.
I have prepended to my filetype.rules.conf.
p
----- Original Message -----
> From: "Peter Ong" <peter.ong at hypermediasystems.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Tuesday, July 6, 2010 11:05:17 AM
> Subject: Re: FileType rules show executable even though file shows data -- Please help fix.
>
> I am thoroughly confused.
>
> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM)
>
> It is not getting caught on this line in the logs... it clearly says
> "No programs allowed".
>
> Is there documentation somewhere I'm neglecting to read?
>
> p
>
> ----- Original Message -----
>
> > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> > Sent: Tuesday, July 6, 2010 10:00:13 AM
> > Subject: Re: FileType rules show executable even though file shows
> data -- Please help fix.
> >
> > It's talking about the attachment in the message, not the message
> > body+headers itself.
> >
> > Do a "file" on msg-16388-1.txt (not a "file -i").
> >
> > On 06/07/2010 16:43, Peter Ong wrote:
> > > Hello Everyone,
> > >
> > > I really need help on this filetype issue.
> > >
> > > First, when I scan the original message it shows as "data", and
> when
> > I scan the mime version, it shows as "text/x-mail; charset=unknown".
> > >
> > > I keep getting this message even after I have edited the
> > filetype.conf.rules file:
> > > At Tue Jul 6 08:29:47 2010 the virus scanner said:
> > > MailScanner: No programs allowed (msg-16388-1.txt)
> > >
> > >
> > > Proof:
> > > [root at gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7
> > > 64BCE572B7: data
> > >
> > > [root at gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt
> > > msg-16388-1.txt: text/x-mail; charset=unknown
> > >
> > > HELP!!! What can I do? Thank you in advance.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > These are the contents of my filetype.conf.rules file:
> > >
> > >
> > >
> > > allow - text - -
> > > allow - text - -
> > > allow - text/x-mail - -
> > > allow - text/plain - -
> > > allow - message/rfc822 - -
> > > allow - text/x-mail - -
> > > allow - text/x-mail; charset=unknown -
> > -<<<<<<<<<<<<<<< I added this
> > > allow - text/plain - -
> > > allow - text/plain; charset=unknown - -
> > > allow - text/plain; charset=iso-8859-1 - -
> > > allow - text/plain; charset=utf-8 - -
> > > allow - text/plain; charset=iso-8859-1 - -
> > > allow text text/x-mail - -
> > > allow text text/plain - -
> > > allow text message/rfc822 - -
> > > allow data text/x-mail; charset=unknown -
> > -<<<<<<<<<<<<<< I added this
> > > allow data text/x-mail - -
> > > allow data text/plain - -
> > > allow data text/plain; charset=unknown - -
> > > allow data text/plain; charset=iso-8859-1 - -
> > > allow data text/plain; charset=utf-8 - -
> > > allow RFC 822 mail text text/plain; charset=iso-8859-1 -
> > -
> > >
> > > allow text - -
> > > allow data - -
> > > allow \bscript - -
> > > allow archive - -
> > > allow postscript - -
> > > deny self-extract No self-extracting archives No
> > self-extracting archives allowed
> > > deny executable No executables No executables
> > allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here...
> > > #EXAMPLE: deny - x-dosexec No DOS executables No
> > DOS programs allowed
> > > deny - x-dosexec No DOS executables No DOS
> > programs allowed
> > > deny ELF No executables No programs
> allowed
> > > deny Registry No Windows Registry entries No Windows
> > Registry files allowed
> > >
> > > #deny MPEG No MPEG movies No MPEG movies
> > allowed
> > > #deny AVI No AVI movies No AVI movies
> > allowed
> > > #deny MNG No MNG/PNG movies No MNG movies
> > allowed
> > > #deny QuickTime No QuickTime movies No QuickTime
> movies
> > allowed
> > > #deny ASF No Windows media No Windows media
> > files allowed
> > > #deny metafont No Windows Metafont drawings No WMF
> > drawings allowed
> > >
> >
> > Jules
> >
> > --
> > Julian Field MEng CITP CEng
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> >
> > Need help customising MailScanner?
> > Contact me!
> > Need help fixing or optimising your systems?
> > Contact me!
> > Need help getting you started solving new requirements from your
> > boss?
> > Contact me!
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list