[Mimedefang] survey: dropping password protected file

Paul Whittney pwhittney at net.bacconsulting.com
Wed Mar 3 09:58:55 EST 2004 

I don't have a solution, but I've some items in testing.

I'm also looking at File::Scan, trying to give it signatures 
of zip files (not the uncompressed ones), but I'm not sure how well things
will work.

I did, however, get one of the .zip files for the netsky virus (forgot
which one, sorry), and I'm testing that at the filter level (script at bottom).
Not sure if it works, or if it's a waste of processing.

The removal of .pif and .scr is working great, though; I have 1300 of them
stopped in the last 2 months ;-)

The issue comes down to; Am I prepared to dictate what is right and wrong for
my users to get. The bad_filename check is good, but I can't just stop all
zip files. The best I can do is use up to date virus solutions on the local
PC's, and educate the users to check, and check again, all attachments, and 
if they are unsure, _ask_. I can't protect them from themselves.


# virus checking code (Experimental)
#
if (lc($ext) =~ /zip/) {
	md_graphdefang_log('ziptest', $path);
	my $lines = $entity->body();
	my $found = 0;
	my $name = "Clean";
	if (scalar( @$lines )) {
		# It has lines....
		my $line = @$lines[0];
		if ( ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) ||
			 ($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) ) {
			$found = 1;
			$name = "Novarg";
		} elsif (
			 ($line =~ m/^UEsDBAoAAAAAA.{6}iZMYWCWMAAAljAA/) ) {
			$found = 1;
			$name = "Netsky";
		}
	}

	md_graphdefang_log('ziptest', "End found = $found, name = $name");
	if ($found) {
		md_graphdefang_log('virus', "Found Virus: $name");
		action_change_header('Subject', '[VIRUS?] ' . $Subject);
		action_delete_all_headers('X-Virus-Status');
		action_add_header('X-Virus-Status', "Yes, name=$name");
		action_drop_with_warning(
			"Dropped $fname ($type) containing virus $name."
		);
   		action_quarantine($entity, 
			"A known virus signature was detected, and removed\n"
		);
		return;
	}
}

On Wed, Mar 03, 2004 at 03:08:04PM +0100, Marco Berizzi wrote:
> Hello.
> 
> I would like hearing feedback about
> dropping password protected zipped file.
> 
> Could it be a good solution to stop bagle & netsky?
> 
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list