Tim Jackson wrote:
> couple of copies of SirCam come through. clamd logs don't appear to even
> show an attempt to scan by Exiscan. exiscan_demime_condition is set to
> true. The viruses have this in their headers:
>
> X-Broken-MIME: base64 line length is not a multiple of 4 characters
Yes, those are really broken. The last base64 line either misses one
padding character, or they have one too many.
> So, does this mean that if Exiscan detects broken MIME (and
> exiscan_demime_action = pass), it just doesn't unpack it at all? This is a
> bit worrying, at least until Tom thinks it's robust enough to turn
> exiscan_demime_action = reject on.
The -24 is already very robust, I have just fixed one (final ?) bug with
single-part b64 messages (which are very uncommon). I think -25 will
have "reject" as the demime default action. I have relaxed checking on
quoted-printable attachments a bit, since that is where the most false
positives are.
RipMime DOES unpack such broken containers, but the result may or may
not be correct. This is why I have dropped it.
> At the very least, could we not pass broken MIME through to the virus
> scanner verbatim so there's at least a *possibility* of it picking up a
> virus if it has inbuilt MIME capability (but which we might ordinarily
> pass over, preferring Exiscan's de-miming)?
Your virus scanner still has the MBOX-style -complete file to scan on,
if its internal demime engine is "good" (or not "good" :) enough, it
will still pick up MIME-broken viruses.
regards,
/tom
--
Tom Kistner <tom@???>
ICQ 1501527 dcanthrax@efnet
http://duncanthrax.net
