Executable vs Binary

Jerry Benton jerry.benton at mailborder.com
Sun May 3 14:52:14 UTC 2015 

Shawn,

I appreciate you running this down. I agree with idea of allowing a block device driver isn’t a great idea, but it seems this is how Office 2007 encodes certain items. At least they removed that crap in later versions. 

-
Jerry Benton
www.mailborder.com



> On May 2, 2015, at 3:56 PM, Shawn Iverson <IversonS at rushville.k12.in.us> wrote:
> 
> Ok....no expert on filetype magic here....but this is what I see....
> 
> File v5.22 has the following magic:
> 
> 0       ulequad&0x07a0ffffffff          0xffffffff              DOS executable (
> >4      uleshort&0x8000                 0x0000                  \bblock device driver
> >0      ubyte                           x                       \b)
> 
> And the .dat file starts off with
> 
> ffff ffff
> 
> which hits the DOS executable part
> 
> and then has a bunch of
> 
> 0000
> 
> which is the block device driver part
> 
> Which is a very very generic test and will fire on a lot of things.
> 
> Here's the quick and dirty fix for this problem assuming the dat files are commonly formatted in this fashion in Office documents:
> 
> archive.filetype.rules.conf:
> # Allow .dat files in newer MS Office documents
> allow   DOS executable (block device driver)  -       -
> 
> A more elaborate solution will involve modifying the source, but I am struggling with how the code might identify the documents and then apply an exception since this is such a generic test and will affect a lot of things.
> 
> 
> On Thu, Apr 16, 2015 at 3:45 PM, Jerry Benton <jerry.benton at mailborder.com <mailto:jerry.benton at mailborder.com>> wrote:
> Has anyone dealt with this? I can’t decide if I should mod the source or just change the configs:
> 
> - Microsoft document comes through with some sort of dat file embedded. While MS see that dat file as text/plain, the character set is binary, so it nails it as an executable.
> - Allowing executables will allow the file.
> 
> So, there’s the rub. Under the current code we have to allow executables for these “newer” types of Microsoft documents to get through. This isn’t restricted to just Microsoft. There are several other file formats that make MailScanner fire on this.
> 
> 
> Ideas?
> 
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com/>
> 
> 
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
> 
> 
> 
> 
> -- 
> Shawn Iverson
> Director of Technology
> Rush County Schools
> 765-932-3901 x271
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150503/259914b5/attachment.html>

More information about the MailScanner mailing list