RE: [exim] Let's talk Scanning, Demime, Decode, Malward (…

Top Page
Delete this message
Reply to this message
Author: Fred Viles
Date:  
To: exim-users
Old-Topics: RE: [exim] Let's talk Scanning, Demime, Decode,Malward (was: O¨Reilly Exim book useful for Exim 4?)
New-Topics: RE: [exim] Let's talk Scanning, Demime, Decode, Malware
Subject: RE: [exim] Let's talk Scanning, Demime, Decode, Malward (was: O¨Reilly Exim book useful for Exim 4?)
On 6 Jul 2005 at 14:04, Herb Martin wrote about
    "RE: [exim] Let's talk Scanning, Dem":


| > -----Original Message-----
| > [mailto:exim-users-bounces@exim.org] On Behalf Of Fred Viles
|
| > An unanswered question is whether there are still any AV
| > scanners that can't unpack MIME messages for themselves, and
| > hence still need demime. ClamAV does not (still need it),
| > contrary to the documentation.
|
| [Being picky...]
| That's actually not relevant to the point of whether the
| provided features work as documented, as previously
| documented, or haven't yet been fully documented.


[continuing pickiness]
AFAIK the features do work as documented, currently and previously.
Tim's HowTo is a good resource, but it is not official documentation
for exim (or the exiscan patch, before it was integrated).

That's not to say the documentation doesn't need improvement, of
course.

| The scanning features are extremely important to me, and
| to my current configuration. I appreciate them very much
| and ANY help that anyone can give me in improving my
| understanding or use of them.


One thing I didn't "get" at first is that exiscan just passes a
directory name to the scanner (at least clamav), which then scans any
and all files in the directory. That means when you use demime the
scanner winds up scanning the attachments twice, once in the message
file and once in each of the decoded files produced by demime.

AFAIK, the only way to avoid the double scan is to avoid using
demime, and point decode at an alternate directory.

Feature request: If there were a way to tell exiscan to pass an
alternate directory name, you could use conditional decode statements
to limit scanning to message parts meeting whatever criteria you
like. Or (maybe better) allow malware= in the MIME ACL, with the
effect that just the decoded file is passed to the scanner.

| I have the following working in the DATA ACL:
| 
| deny message   = Message contains malformed MIME ($demime_reason).
|      demime    = *
|      condition = ${if >{$demime_errorlevel}{2}{1}{0}}
| 
| deny message = This message contains malware ($malware_name)
|      #demime  = *
|      malware = */defer_ok

|
| ## Yes, my reference to demime is commented out in the malware
| ## test, and the scan is functioning correctly with ClamAV.


AIUI, it doesn't matter whether demime is commented out in the second
stanza. Once it's done, it's done.

FYI, here's the exiscan portion of my DATA ACL:

  # Quarantine messages with MIME packaging errors
  warn    message        = X-quarantine: Serious MIME defect detected ($demime_reason). folder=badmime
       demime        = *
       condition    = ${if or { \
                    {>{$demime_errorlevel}{1}} \
                    {and { \
                       {>{$demime_errorlevel}{0}} \
                       {match {$demime_reason}{exceeds 76}} \
                     } \
                    } \
                  }{yes}{no}}


  # Quarantine messages with encrypted archives
  warn  message    = X-quarantine: Encrypted archive attached. folder=exe
        demime     = *
        malware        = Encrypted\..*


  accept
        demime     = *
        malware    = Encrypted\..*


  # Reject virus infested messages
  deny  message     = This message contains malware ($malware_name)
        demime      = *
        malware     = *


Adding an X-quarantine: header causes a redirect router to route the
message to the specified maildir folder for admin review.

- Fred