Re: [exim] How to debug malware

Top Page
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: exim-users
Subject: Re: [exim] How to debug malware
On Thu, 1 Dec 2005, Nigel Wade wrote:

> From: Nigel Wade <nmw@???>
> To: Exim users list <exim-users@???>
> Date: Thu, 01 Dec 2005 15:27:59 +0000
> Subject: Re: [exim] How to debug malware


...

> My mime ACL was incorrect, and it was not performing the decode
> = default. Now that I've fixed it as above it does the required
> action of decoding the mime parts. When the data acl is actioned,
> and the av_scanner is run, the decoded mime parts are all there
> in separate files in the directory which is passed to the
> av_scanner. Sophos sweep will now happily detect viruses both in
> the entire message, and in the decoded parts.
>
> Thanks for supplying the correct syntax of the mime ACL.


In an earlier message you said:

>Sorry, I forgot to add that the av_scanner is:
>
>av_scanner = cmdline:\
>               /usr/local/bin/sweep -ss -all -rec -archive %s:\
>               found:'(.+)


Note that Sophos sweep *won't* do any mime decoding unless you tell
it to. So change the above to:

av_scanner = cmdline:\
               /usr/local/bin/sweep -ss -all -rec -archive -mime %s:\
               found:'(.+)


and try again. You may well find you don't need your mime ACL.

It's *very* easy to miss this. It isn't documented in the manual
page for Sophos sweep and the example in the exim specification
doesn't include it. You only find it out by typing something like
"sweep --help" to get a list of the options.

You might want to have a look at the sophie daemon.

http://www.clanfield.info/sophie/

Using Sophos sweep is expensive.  Busy mail servers can really
profit from using sophie.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@???               Phone: +44 1225 386101