Re: [exim] Exim 4.51 with ClamAV question.

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Ted Cooper
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Exim 4.51 with ClamAV question.
JM wrote:
> Besides just checking for malware with:
>   # Reject virus infested messages.
>   deny  message = This message contains malware ($malware_name)
>         malware = *

>
> Is it possible to look inside a zipped file for M$ files
> such as .exe .pif…… and bounce with something like
> A 550 the file you sent, has self executing code, please rename
> the file(s) and re-zip and send again…..
>


I was pondering the same question the other day as a way to stop all these
viruses that come with one executable file in them. Even if they are password
protectect, I can still get a listing of the file that is inside.

Keeping in mind, of course, that ClamAV does have the ability to scan inside
archives, just not password encrypted ones.

My train of thought moved to the individual MIME part ACL (acl_smtp_mime)
available as part of 4.50+ and 4.x+exiscan. With this you could figure if it
was a zip file and run some external command that did all the checking with
the ${run directive (list contents of zip file, check to see if there's one
file, see if it's an executable type or other blocked type). If someone knows
how to do that _inside_ exim, that would be really cool :)

This should really be part of a good file blocking system anyway, otherwise
people can just zip dangerous content and send it anyway!
A possible extention on this would be, once the virus writers have started
adding more than 1 file to a zip file to help them get through, would be to
try guess if the one executable is really a virus and if the other files are
just filler.

Do you think it's worth it? It's really only for passworded zips.

Ted.