Re: [exim] How to debug malware

Top Page
Delete this message
Reply to this message
Author: Nigel Wade
Date:  
To: Exim users list
New-Topics: Re: [exim] How to debug malware [SOLVED]
Subject: Re: [exim] How to debug malware
Jakob Hirsch wrote:
> Nigel Wade wrote:
>
>
>>Ok. I've got to the root of the problem, and it's a pretty annoying one.
>>It's an incompatibility between Exim 4.5 and Sophos sweep.
>>
>>Sophos won't find a virus in an attachment whilst it's part of the
>>message - it needs to scan each component separately. Exiscan would
>>split the message into its constituent parts, each in a separate file.
>
>
> This is not an "incompability", Exim just does what you tell it.


If you are happy that they are compatible can you tell me how Exim can use
Sophos to scan a message which contains mime components?

>
> The exiscan way was having a "demime = *" condition before your malware
> condition. You have no demime in the config you supplied, so I wonder
> how this worked before.


My config for Exim 4.3 has a demime=* in it. There is no demime in the config I
supplied because that is for Exim 4.5, and I'm trying to avoid the deprecated
condition.

>
> Anyway, demime is deprecated, but putting "decode = default" in the mime
> acl provides similar functionality.


It doesn't provide similar functionality at all. How can you use a
decode=default to scan for viruses? The decode=default is part of the MIME ACL
and the malware=* is part of the data ACL. All that gets passed to the
av_scanner is the name of a directory containing the *entire* message, not the
message components as was done by demime=*.

Furthermore, according to the documentation, the MIME ACL will only unpack MIME
components if the mail message contains a MIME-Version: header. I would rather
not have to rely on the co-operation of the virus writers by requiring this
header be in the message for the virus scanning to work.

> No need for demime, as Micheal wrote.


Unfortunately, there is. But I can't rely on it because it's deprecated and at
some time in the future it will undoubtedly be removed.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555