Executable vs Binary

Shawn Iverson iversons at rushville.k12.in.us
Sat May 2 19:56:22 UTC 2015

Ok....no expert on filetype magic here....but this is what I see....

File v5.22 has the following magic:

0       ulequad&0x07a0ffffffff          0xffffffff              DOS
executable (
>4      uleshort&0x8000                 0x0000                  \bblock
device driver
>0      ubyte                           x                       \b)

And the .dat file starts off with

ffff ffff

which hits the DOS executable part

and then has a bunch of


which is the block device driver part

Which is a very very generic test and will fire on a lot of things.

Here's the quick and dirty fix for this problem assuming the dat files are
commonly formatted in this fashion in Office documents:

# Allow .dat files in newer MS Office documents
allow   DOS executable (block device driver)  -       -

A more elaborate solution will involve modifying the source, but I am
struggling with how the code might identify the documents and then apply an
exception since this is such a generic test and will affect a lot of things.

On Thu, Apr 16, 2015 at 3:45 PM, Jerry Benton <jerry.benton at mailborder.com>

> Has anyone dealt with this? I can’t decide if I should mod the source or
> just change the configs:
> - Microsoft document comes through with some sort of dat file embedded.
> While MS see that dat file as text/plain, the character set is binary, so
> it nails it as an executable.
> - Allowing executables will allow the file.
> So, there’s the rub. Under the current code we have to allow executables
> for these “newer” types of Microsoft documents to get through. This isn’t
> restricted to just Microsoft. There are several other file formats that
> make MailScanner fire on this.
> Ideas?
> -
> Jerry Benton
> www.mailborder.com
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner

Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150502/096783fc/attachment.html>

More information about the MailScanner mailing list