[Mimedefang] survey: dropping password protected file
Paul Murphy
pmurphy at ionixpharma.com
Wed Mar 3 09:46:04 EST 2004
> I would like hearing feedback about
> dropping password protected zipped file.
Don't do it - some companies distribute software and/or updates in this manner,
while it is also common for commercially-sensitive information to be sent in
password protected Zip files rather than in plain text. ZIP files are used when
the underlying application is incapable of decent encryption, such as older
versions of Office, MS Project, etc.
Dropping them will lose you information which is guaranteed to be important.
Instead, scan the archive for the list of files, drop it if one or more of them
have disallowed extensions, and either release or quarantine it if it seems OK.
You don't need the password to view the file list - only to view file contents.
I use modified code gleaned from the mailing list (thanks to Michal Jankowski)
and updated with a better extension list (a la the Bad_Filename check, which
catches ClassIDs as well) and more debugging: (watch for line-wrapping!)
#------------------------------------------------------------------------------
# Check for banned files in ZIP files - may add considerable processing time
# Requires Archive::Zip to be up to date - base Debian version is ancient and
does
# not have the tempFileName utility
#
if (lc($ext) =~ /\.zip$/) {
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
if ($zip->read($path) == AZ_OK) {
md_syslog('debug', "Scanning zip file, Path=$path");
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$size = $member->uncompressedSize();
md_syslog('debug', "Scanning zip entry $file, size=$size");
# approx 50Mb siz limit!
if ($size > 50e6) {
md_graphdefang_log('Archive member too big ', $file,
$RelayAddr);
action_discard();
return;
}
if ($member->isEncrypted()) {
md_syslog('debug', "scanning Encrypted ZIP member $file");
my ($bad_exts, $re);
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cp
l|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|m
st|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz
|wsc|wsf|wsh|zip|\{[^\}]+\})';
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
if (lc($file) =~ $re) {
md_graphdefang_log('Encrypted_badfile', $file,
$RelayAddr);
action_notify_administrator("A file called $file was
detected in an encrypted ZIP file attached to an incoming e-mail -
quarantined.");
action_quarantine_entire_message("An encrypted ZIP
attachment conatining $file was removed from this document as it\nconstituted a
security hazard. If you require this document, please contact\nIT Support to
arrange for it to be released.\n");
action_discard();
return;
}
md_syslog('warning', "Encrypted file $file");
} else {
$zip->extractMember($member, $tfname);
md_syslog('debug', "Scanning ZIP entry $file");
use File::Scan;
my $scanner = File::Scan->new;
my $virus = $scanner->scan($tfname);
unlink($tfname);
if ($virus) {
md_graphdefang_log('virus', $virus, $RelayAddr);
action_discard();
return;
}
}
}
}
}
#------------------------------------------------------------------------------
Tested using EICAR virus test in Zip file, and banned file in encrypted Zip
file, and works OK.
Best Wishes,
Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA
Tel. 01223 433741
Fax. 01223 433788
_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________
More information about the MIMEDefang
mailing list