[exim] handling of password protected archives with malware …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Patrick Cernko
Date:  
À: exim-users
Sujet: [exim] handling of password protected archives with malware scanner Avast
Hi list,

we recently started to use Avast as malware scanner in exim. I
discovered that (attached) password protected archives are handled
differently when using Avast in exim as av_scanner compared to clamav
and Kaspersky:

Avast reports error "Archive is password protected" about such a file,
which exim handles as a reported malware (in strict mode). This results
in a reject as malware by our exim setup. When using clamav or
Kaspersky, a mail with such an attachment is passed. This might be
intentional in general but in our setup, mails like this should be passed.

I developed and tested a small patch for exim that allows to configure
this behavior with a new av_scanner option "pass_pwarchives" similar to
"pass_unscanned". The patch was developed and tested for exim-4.92 but
it seems to (at least) apply for the current version too.

I would appreciate if you could integrate this patch (or it's idea) in
the next release. Feel free to adopt the code if it does not suite your
quality standards, coding style or anything else.

Best,
--
Patrick Cernko <pcernko@???>
Joint Administration: Information Services and Technology
Max-Planck-Institute für Informatik & Softwaresysteme--- exim4-4.92.orig/doc/spec.txt
+++ exim4-4.92/doc/spec.txt
@@ -30104,6 +30104,11 @@ avast
     decompression bombs, or invalid archives) are considered clean. Use with
     care.


+    If "pass_pwarchives" is set, archives the Avast scanner can't scan
+    due to password protection are considered clean. This is a subset
+    of "pass_unscanned", thus "pass_pwarchives" only makes sense if
+    "pass_unscanned" is NOT set. Use with care.
+
     For example:


     av_scanner = avast:/var/run/avast/scan.sock:FLAGS -fullfiles:SENSITIVITY -pup
--- exim4-4.92.orig/src/malware.c
+++ exim4-4.92/src/malware.c
@@ -1969,6 +1969,7 @@ b_seek:   err = errno;
       uschar * error_message = NULL;
       BOOL more_data = FALSE;
       BOOL strict = TRUE;
+      BOOL pwarchives = TRUE;


       /* According to Martin Tuma @avast the protocol uses "escaped
       whitespace", that is, every embedded whitespace is backslash
@@ -2062,6 +2063,12 @@ b_seek:   err = errno;
                   strict = FALSE;
                   goto sendreq;
                   }
+                if (Ustrcmp(scanrequest, "pass_pwarchives") == 0)
+                  {
+                  DEBUG(D_acl) debug_printf_indent("pass password protected archives as clean\n");
+                  pwarchives = FALSE;
+                  goto sendreq;
+                  }
         scanrequest = string_sprintf("%s\n", scanrequest);
         avast_stage = AVA_OPT;        /* just sent option */
         DEBUG(D_acl) debug_printf_indent("send to avast OPTION: %s", scanrequest);
@@ -2111,6 +2118,11 @@ b_seek:   err = errno;
                   unescape(malware_name);
                   DEBUG(D_acl)
                     debug_printf_indent("unescaped error message: '%s'\n", malware_name);
+                  if ( ! pwarchives && (Ustrcmp(malware_name, "Archive is password protected") == 0) )
+                    {
+                      log_write(0, LOG_MAIN, "Ignoring error about password protected archive");
+                      malware_name = NULL;
+                    }
                   break;
                   }
                 }