[Mimedefang] survey: dropping password protected file
Adam Brons
abrons at odu.edu
Wed Mar 3 11:41:06 EST 2004
On Wed, Mar 03, 2004 at 09:55:16AM -0600, -ray wrote:
> > This is close to what I'm doing - rejecting encrypted .exe files etc.
> > Also, running File::Scan on archive members. See my previous mail on
> > this subject:
> >
> > http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020560.html
>
> I implemented this code (thanks!) but it seems File::Scan is not catching
> some variants of Beagle/Bagle that Clamd is catching. I wrote some code
> to use clamd, basically replicating entity_contains_virus_clamd (called
> zip_contains_virus_clamd) making changes as needed.
>
> This added a good bit of code to mimedefang-filter. Is there a better way
> to do this, can you just use message_ or entity_ functions? If anyone
> wants the code, i can send it to the list. I just can't get VirusName
> to work for some reason.
>
I had a question similar to Ray's. Assuming that in the filter
subroutine I'm scanning for viruses using clamd before I place the
snippet of code to read the contents of a zip file in, could I just
return if the .zip file fails the isEncrypted() check?
snippet of code:
sub filter ($$$) {
if ($FoundVirus) {
my($code, $category, $action);
$VirusScannerMessages = "";
($code, $category, $action) = entity_contains_virus_clamd($entity);
if ($category eq "virus") {
md_graphdefang_log('virus',$VirusName, $RelayAddr);
# Bounce the mail!
action_bounce("Virus $VirusName found in mail - rejected");
return;
}
if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus scanner: code=$code, category=$category, action=$action");
}
}
if (lc($ext) =~ /\.zip$/) {
use Archive::Zip qw(:ERROR_CODES);
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
if ($zip->read($path) == AZ_OK) {
md_syslog('debug', "Scanning zip file, Path=$path");
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$size = $member->uncompressedSize();
# If the size is larger than 10MB bailout -- current limit
# size limit to accept mail
if ($size > 10485760) {
md_graphdefang_log('Archive member too big ', $file, $RelayAddr);
# Sendmail will bounce the message before we get here...
#action_bounce("Archive member $file too big");
return;
}
if ($member->isEncrypted()) {
md_syslog('debug', "scanning Encrypted ZIP member $file");
my ($bad_exts, $re);
$bad_exts = '(exe|pif|scr|zip|\{[^\}]+\})';
$re = '\.' . $rej_exts . '\.*([^-A-Za-z0-9_.,]|$)';
if (lc($file) =~ $re) {
md_graphdefang_log('Encrypted_badfile', $file, $RelayAddr);
action_drop_with_warning("SOME MESSAGE");
return;
}
md_syslog('warning', "Encrypted file $file");
} else {
unlink($tfname);
return;
}
}
}
}
}
--
Adam Brons Data Security Administrator
tel: 757.683.4855 Office of Computing and Communications Services
fax: 757.683.5155 Old Dominion University - Norfolk, Virginia. USA
DSA ID F1B1F49B: 72F0 E0FC 08BF A1FE 5677 C48F 4D83 C8B2 F1B1 F49B
More information about the MIMEDefang
mailing list