Executable vs Binary

Shawn Iverson iversons at rushville.k12.in.us
Sat May 2 19:56:22 UTC 2015 

Ok....no expert on filetype magic here....but this is what I see....

File v5.22 has the following magic:

0       ulequad&0x07a0ffffffff          0xffffffff              DOS
executable (
>4      uleshort&0x8000                 0x0000                  \bblock
device driver
>0      ubyte                           x                       \b)

And the .dat file starts off with

ffff ffff

which hits the DOS executable part

and then has a bunch of

0000

which is the block device driver part

Which is a very very generic test and will fire on a lot of things.

Here's the quick and dirty fix for this problem assuming the dat files are
commonly formatted in this fashion in Office documents:

archive.filetype.rules.conf:
# Allow .dat files in newer MS Office documents
allow   DOS executable (block device driver)  -       -

A more elaborate solution will involve modifying the source, but I am
struggling with how the code might identify the documents and then apply an
exception since this is such a generic test and will affect a lot of things.


On Thu, Apr 16, 2015 at 3:45 PM, Jerry Benton <jerry.benton at mailborder.com>
wrote:

> Has anyone dealt with this? I can’t decide if I should mod the source or
> just change the configs:
>
> - Microsoft document comes through with some sort of dat file embedded.
> While MS see that dat file as text/plain, the character set is binary, so
> it nails it as an executable.
> - Allowing executables will allow the file.
>
> So, there’s the rub. Under the current code we have to allow executables
> for these “newer” types of Microsoft documents to get through. This isn’t
> restricted to just Microsoft. There are several other file formats that
> make MailScanner fire on this.
>
>
> Ideas?
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150502/096783fc/attachment.html>

More information about the MailScanner mailing list