Re: [exim] Exim 4.51 with ClamAV question.

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Ian Eiloart
Fecha:  
A: exim-users
Asunto: Re: [exim] Exim 4.51 with ClamAV question.


--On 9 June 2005 11:41:13 +1000 Ted Cooper <eximx1805@???> wrote:

>
> JM wrote:
>> Besides just checking for malware with:
>>   # Reject virus infested messages.
>>   deny  message = This message contains malware ($malware_name)
>>         malware = *

>>
>> Is it possible to look inside a zipped file for M$ files
>> such as .exe .pif…… and bounce with something like
>> A 550 the file you sent, has self executing code, please rename
>> the file(s) and re-zip and send again…..
>>
>
> I was pondering the same question the other day as a way to stop all these
> viruses that come with one executable file in them. Even if they are
> password protectect, I can still get a listing of the file that is inside.
>
> Keeping in mind, of course, that ClamAV does have the ability to scan
> inside archives, just not password encrypted ones.
>
> My train of thought moved to the individual MIME part ACL (acl_smtp_mime)
> available as part of 4.50+ and 4.x+exiscan. With this you could figure if
> it was a zip file and run some external command that did all the checking
> with the ${run directive (list contents of zip file, check to see if
> there's one file, see if it's an executable type or other blocked type).
> If someone knows how to do that _inside_ exim, that would be really cool
> :)
>
> This should really be part of a good file blocking system anyway,
> otherwise people can just zip dangerous content and send it anyway!
> A possible extention on this would be, once the virus writers have started
> adding more than 1 file to a zip file to help them get through, would be
> to try guess if the one executable is really a virus and if the other
> files are just filler.
>
> Do you think it's worth it? It's really only for passworded zips.


Not worth it. What do you do if your password encrypted zip contains
another zip file? You can't tell what that contains.

Best to just not accept them. If someone really wants that kind of security
let them use a secure ftp site, or something.

> Ted.
>



--
Ian Eiloart
Servers Team
Sussex University ITS