Re: [exim] How to debug malware

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Jakob Hirsch
Ημερομηνία:  
Προς: Nigel Wade
Υ/ο: Exim users list
Αντικείμενο: Re: [exim] How to debug malware
Nigel Wade wrote:

>>>Sophos won't find a virus in an attachment whilst it's part of the
>>>message - it needs to scan each component separately. Exiscan would
>>>split the message into its constituent parts, each in a separate file.
>> This is not an "incompability", Exim just does what you tell it.
> If you are happy that they are compatible


I didn't say that. They may be incompatible, I don't know that (though I
doubt it), but surely not because of Exim not being able to extract
attachments for the virus scanner.

>> Anyway, demime is deprecated, but putting "decode = default" in the mime
>> acl provides similar functionality.
> It doesn't provide similar functionality at all.


The spec says "The demime ACL condition provides MIME unpacking, sanity
checking and file extension blocking. It uses a simpler interface to MIME
decoding than the MIME ACL functionality, but provides no additional
facilities."

> How can you use a decode=default to scan for viruses?
> The decode=default is part of the MIME ACL and the malware=*
> is part of the data ACL.


The files extracted by decode=$whatever are deleted after the data acl is
run, so the virus scanner in the data acl will see the complete message
and all contained files.

Don't know why the spec says that demime is needed for that, probably a
relict from pre-mime_acl times. Phil or Tom (or whoever can do it), could
you check this?

> Furthermore, according to the documentation, the MIME ACL will
> only unpack MIME components if the mail message contains a
> MIME-Version: header. I would rather not have to rely on the
> co-operation of the virus writers by requiring this
> header be in the message for the virus scanning to work.


MIME-Version is a required header line for MIME messages (RFC1341 says
MUST), so messages without it are not MIME compliant.

Don't know why Tom did it this way. MUAs tend to be tolerant about such
things, so Exim should also.