[Mimedefang] Password protected Bagle.F
Graham Dunn
gdunn at inscriber.com
Fri Mar 5 11:44:39 EST 2004
Lucas Albers said:
>As near as I unerstand from the clamav list.
>Clam cannot detect encrypted virus's.
>I believe this is a flaw in clamav, that cannot be easily remedied. >
>This is "To the best of my knowldege."
>You have some options.
>Add in another virus scanner.
>Bounce password protected zips.
>Bounce zips.
>Bounce password protected zips with certain file types.
>The easiest thing to do, and what I am doing currently, is bounce zip
>files for a few days, while I figure out what to do on my internal mail
>server.
>http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html
>This is the first salvo in widespread adoption of password protected zip
>files imo.
>So consider zip-encrypted files a new file type extension.
>So I reccomend to block:
>zip-encrypted zip files by default.
OK, maybe I'm mistaken, but I'm blocking quite a few password protected
virus email (Worm.Bagle.Gen-zippwd, Worm.Bagle.F-zippwd-3). Is there a
difference between "encrypted" and "password protected"? I'm using the
following clamav.conf:
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamav/clamd.pid
LocalSocket /var/spool/MIMEDefang/clamd.sock
FixStaleSocket
StreamSaveToDisk
MaxDirectoryRecursion 15
User mailnull
ScanMail
ScanArchive
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
The *-zippwd viruses were not getting caught until I added the
"ScanMail" directive.
Graham
--
Graham Dunn, IT Manager
Inscriber Technology, 26 Peppler St, Waterloo, ON, CA N2J3C4
519 570 9111 x243
More information about the MIMEDefang
mailing list