Re: [exim] Viruses

Góra strony
Delete this message
Reply to this message
Autor: John McMurray
Data:  
Dla: exim-users
Temat: Re: [exim] Viruses
Hi Lena,

Thanks, I actually managed to get this working...

In your initial mail you gave:

{UNRAR l}

I changed that to {unrar lb}

with only the l argument it seems that the unrar command produces a bit
of preamble before listing the files in the archives. using lb it just
lists the files and that seems to have fixed it.

Thanks for new code below, I'll look into checking with 7zip.

Regards,

John


On 02/04/2016 18:14, Lena@??? wrote:
>> From: John McMurray
>> This works well for zip files but it seems to be ignoring rar files.
>> I've check and double checked that both unzip and unrar are at the
>> locations that exim expects them to be at and that both unzip and unrar
>> do actually work.
>>>> UNZIP = /usr/bin/unzip
>>>> UNRAR = /usr/local/bin/unrar
>>>> deny set acl_m_att = ${if match{$mime_filename}{\N(?i)\.(zip|rar)$\N}{$1}}
>>>>    condition = ${if def:acl_m_att}
>>>>    message = A .$acl_m_att attachment contains a Windows-executable file
>>>>    decode = default
>>>>    log_message = forbidden binary in attachment: filename=$mime_filename, \
>>>>                  recipients=$recipients
>>>>    condition = ${if match{${run{${if eqi{$acl_m_att}{zip}\
>>>>                             {UNZIP -l}{UNRAR l}} $mime_decoded_filename}}}\
>>>>                          {\N(?i)\n .+\.(zip|rar|exe|com|vbs|bat|pif|scr|vb\
>>>>       |js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|hta)\n\N}}
> I don't know what went wrong. Can you save a .rar attachment and run this?

>
> /usr/local/bin/unrar l FILENAME.rar | hd | less
>
> Is filename shown? Does the string with the filename begin with a blank (20)?
>
> unrar under FreeBSD cannot show the filename of the file inside the archive
> if the filename contains Russian characters (in cp866 charset).
> Another archiver 7-Zip (7z) can list contents of various archives
> (zip, rar and others). Virus authors reckon that the targets/victims
> have 7-Zip installed in Windows.
> Under FreeBSD 7z shows question marks instead of Russian characters.
> The idea to use 7z for virus filtering in Exim was proposed (by Yura Scheglyuk)
> and discussed on the Russian Exim-users list (mailground.net).
>
> P7ZIP = /usr/local/bin/7z
> # port archivers/p7zip in case of FreeBSD
> WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs
> # more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs
> COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
> BINFORBIDDEN = Windows-executable attachments forbidden
> begin acl
> acl_check_mime:
>    deny message = BINFORBIDDEN
>         log_message = forbidden attachment: filename=$mime_filename, \
>                       content-type=$mime_content_type, recipients=$recipients
>         condition = ${if or{\
>                             {match{$mime_content_type}{(?i)executable}}\
>                             {match{$mime_filename}{\N(?i)\.(WINBIN)$\N}}\
>                            }}

>
>    deny message = Compressed BINFORBIDDEN
>         condition = ${if or{\
>                             {match{$mime_content_type}{(?i)application/\
>                                       (octet-stream|x(-zip)?-compressed|zip)}}\
>                             {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
>                            }}
>         condition = ${if <{$message_size}{1500K}}
>         decode = default
>         log_message = forbidden binary in attachment: filename=$mime_filename, \
>                       recipients=$recipients
>         condition = ${if match{${run{P7ZIP l $mime_decoded_filename}}}\
>                               {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

>
>    accept

>



--