Re: [exim] How to debug malware

Top Page
Delete this message
Reply to this message
Author: Nigel Wade
Date:  
To: Exim users list
Subject: Re: [exim] How to debug malware
Jakob Hirsch wrote:
> Nigel Wade wrote:
>
>
>>>>>>Sophos won't find a virus in an attachment whilst it's part of the
>>>>>>message - it needs to scan each component separately. Exiscan would
>>>>>>split the message into its constituent parts, each in a separate file.
>>>>>
>>>>>This is not an "incompability", Exim just does what you tell it.
>>>>
>>>>If you are happy that they are compatible
>>>
>>>I didn't say that.
>>
>>You said "This is not an incompatibility". That sounds to me like you are
>>saying they are compatible. What were you saying?
>
>
> That a deficient configuration is not an incompability.
> But I really don't want to start a discussion about nothing.


I've had some more time to look into this, and I admit I had a deficient
configuration.

>
>
>>It's exactly that. How does Exim extract the attachments for the virus
>>scanner?
>
>
> This works here:
>
>
> acl_check_mime:
>
> warn decode = default
> [... some extension checks...]
>


My mime ACL was incorrect, and it was not performing the decode = default. Now
that I've fixed it as above it does the required action of decoding the mime
parts. When the data acl is actioned, and the av_scanner is run, the decoded
mime parts are all there in separate files in the directory which is passed to
the av_scanner. Sophos sweep will now happily detect viruses both in the entire
message, and in the decoded parts.

Thanks for supplying the correct syntax of the mime ACL.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555