[Mimedefang] survey: dropping password protected file

Adam Brons abrons at odu.edu
Wed Mar 3 11:41:06 EST 2004 

On Wed, Mar 03, 2004 at 09:55:16AM -0600, -ray wrote:
> > This is close to what I'm doing - rejecting encrypted .exe files etc.
> > Also, running File::Scan on archive members. See my previous mail on
> > this subject:
> > 
> > http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020560.html
> 
> I implemented this code (thanks!) but it seems File::Scan is not catching
> some variants of Beagle/Bagle that Clamd is catching.  I wrote some code
> to use clamd, basically replicating entity_contains_virus_clamd (called
> zip_contains_virus_clamd) making changes as needed.
> 
> This added a good bit of code to mimedefang-filter.  Is there a better way 
> to do this, can you just use message_ or entity_ functions?  If anyone 
> wants the code, i can send it to the list.  I just can't get VirusName 
> to work for some reason.
> 

I had a question similar to Ray's.  Assuming that in the filter
subroutine I'm scanning for viruses using clamd before I place the
snippet of code to read the contents of a zip file in, could I just
return if the .zip file fails the isEncrypted() check?


snippet of code:

sub filter ($$$) {
    if ($FoundVirus) {
      my($code, $category, $action);
      $VirusScannerMessages = "";
      ($code, $category, $action) = entity_contains_virus_clamd($entity);
      if ($category eq "virus") {
          md_graphdefang_log('virus',$VirusName, $RelayAddr);

          # Bounce the mail!
          action_bounce("Virus $VirusName found in mail - rejected");
          return;
      }
      if ($action eq "tempfail") {
          action_tempfail("Problem running virus-scanner");
          md_syslog('warning', "Problem running virus scanner: code=$code, category=$category, action=$action");
      }
    }

    if (lc($ext) =~ /\.zip$/) {
      use Archive::Zip qw(:ERROR_CODES);
      my $path = $entity->bodyhandle->path;
      my $zip = Archive::Zip->new();
      if ($zip->read($path) == AZ_OK) {
        md_syslog('debug', "Scanning zip file, Path=$path");
        my $tfname = Archive::Zip::tempFileName('.');
        my @members = $zip->members();
        foreach my $member (@members) {
          my $file = $member->fileName();
          $size = $member->uncompressedSize();
          # If the size is larger than 10MB bailout -- current limit
          # size limit to accept mail
          if ($size > 10485760) {
            md_graphdefang_log('Archive member too big ', $file, $RelayAddr);
            # Sendmail will bounce the message before we get here...
            #action_bounce("Archive member $file too big");
            return;
          }
          if ($member->isEncrypted()) {
            md_syslog('debug', "scanning Encrypted ZIP member $file");
            my ($bad_exts, $re);
            $bad_exts = '(exe|pif|scr|zip|\{[^\}]+\})';
            $re = '\.' . $rej_exts . '\.*([^-A-Za-z0-9_.,]|$)';
            if (lc($file) =~ $re) {
              md_graphdefang_log('Encrypted_badfile', $file, $RelayAddr);
              action_drop_with_warning("SOME MESSAGE");
              return;
            }
            md_syslog('warning', "Encrypted file $file");
          } else {
            unlink($tfname);
            return;
          }
        }
      }
    }
  }








-- 
Adam Brons           Data Security Administrator
tel: 757.683.4855    Office of Computing and Communications Services
fax: 757.683.5155    Old Dominion University - Norfolk, Virginia. USA

DSA ID F1B1F49B: 72F0 E0FC 08BF A1FE 5677  C48F 4D83 C8B2 F1B1 F49B

More information about the MIMEDefang mailing list