Re: [exim] How to debug malware

Top Page
Delete this message
Reply to this message
Author: Nigel Wade
Date:  
To: Exim users list
Subject: Re: [exim] How to debug malware
Jakob Hirsch wrote:
> Nigel Wade wrote:
>
>
>>>>Sophos won't find a virus in an attachment whilst it's part of the
>>>>message - it needs to scan each component separately. Exiscan would
>>>>split the message into its constituent parts, each in a separate file.
>>>
>>>This is not an "incompability", Exim just does what you tell it.
>>
>>If you are happy that they are compatible
>
>
> I didn't say that.


You said "This is not an incompatibility". That sounds to me like you are saying
they are compatible. What were you saying?

> They may be incompatible, I don't know that (though I
> doubt it), but surely not because of Exim not being able to extract
> attachments for the virus scanner.


It's exactly that. How does Exim extract the attachments for the virus scanner?
I have not been able to get it to do that.

>
>
>>>Anyway, demime is deprecated, but putting "decode = default" in the mime
>>>acl provides similar functionality.
>>
>>It doesn't provide similar functionality at all.
>
>
> The spec says "The demime ACL condition provides MIME unpacking, sanity
> checking and file extension blocking. It uses a simpler interface to MIME
> decoding than the MIME ACL functionality, but provides no additional
> facilities."


Apparently not similar enough, though.

>
>
>>How can you use a decode=default to scan for viruses?
>>The decode=default is part of the MIME ACL and the malware=*
>>is part of the data ACL.
>
>
> The files extracted by decode=$whatever are deleted after the data acl is
> run, so the virus scanner in the data acl will see the complete message
> and all contained files.


In my tests the directory passed to the av_scanner did not contain the
components, only the complete message in a .eml file. I wasn't able to see the
message components in the data ACL/av_scanner.

>
> Don't know why the spec says that demime is needed for that, probably a
> relict from pre-mime_acl times.


Perhaps it is needed?

> Phil or Tom (or whoever can do it), could
> you check this?>
>
>>Furthermore, according to the documentation, the MIME ACL will
>>only unpack MIME components if the mail message contains a
>>MIME-Version: header. I would rather not have to rely on the
>>co-operation of the virus writers by requiring this
>>header be in the message for the virus scanning to work.
>
>
> MIME-Version is a required header line for MIME messages (RFC1341 says
> MUST), so messages without it are not MIME compliant.


But they may still contain a virus. RFC1341 doesn't say what the contents of a
valid virus message must contain ;-)

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555