[Mimedefang] Blocking ZIP viruses

Tomasz Ostrowski tometzky at zodiac.mimuw.edu.pl
Wed Jan 28 06:13:43 EST 2004 

I've modified mimedefang-filter so it blocks ZIP files with
executables. I't ugly as hell (I do not know perl - it's copy-paste
programming) but it works. It uses zipinfo command to extract
filenames. Have a look at the diff below.

It blocks all recent Mydoom mails.

Regards
Tometzky
-- 
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
                                                      Winnie the Pooh



--- mimedefang-filter.orig	Tue Jan 27 16:45:56 2004
+++ mimedefang-filter	Tue Jan 27 16:49:42 2004
@@ -148,6 +148,46 @@
     return (wantarray ? (0, 'ok', 'ok') : 0);
 }
 
+sub zip_filter_bad_filename ($) {
+    my($entity) = @_;
+    unless ( re_match($entity, '\.' . 'zip' . '\.*([^-A-Za-z0-9_.,]|$)') ) {
+        return 0;
+    }
+    
+    my($body) = $entity->bodyhandle;
+    if (!defined($body)) {
+        return 0;
+    }
+    
+    # Get filename
+    my($path) = $body->path;
+    if (!defined($path)) {
+        return 1;
+    }
+    
+    # Run zipinfo
+    my($code, $category, $action) =
+        run_virus_scanner( "zipinfo $path" );
+    if ($action ne 'proceed') {
+        return $code;
+    }
+    if ($code) {
+        return $code;
+    }
+    
+    # Bad extensions
+    $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
+
+    # Do not allow:
+    # - CLSIDs  {foobarbaz}
+    # - bad extensions (possibly with trailing dots) at end or
+    #   followed by non-alphanum
+    $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
+    return 1 if $VirusScannerMessages =~ /$re/i;
+    
+    return 0;
+}
+
 #***********************************************************************
 # %PROCEDURE: filter_begin
 # %ARGUMENTS:
@@ -243,6 +283,12 @@
     if (filter_bad_filename($entity)) {
         md_graphdefang_log('bad_filename', $fname, $type);
 	return action_quarantine($entity, "An attachment named $fname was removed from this document as it\nconstituted a security hazard.  If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
+    }
+
+    if (zip_filter_bad_filename($entity)) {
+        md_graphdefang_log('bad_filename', $fname, $type);
+        action_bounce("Access denied. Archive $fname with not allowed file(s).", "554", "5.7.1");
+        return action_discard();
     }
 
     # eml is bad if it's not multipart

More information about the MIMEDefang mailing list