[Mimedefang] My solution to F-prot and encrypted zip files
James Ebright
jebright at esisnet.com
Thu Mar 11 13:07:33 EST 2004
This is gleamed from source I have seen here and elsewhere on the net. I do
not scan inside zips twice so no File::Scan needed for this to work.
Basically f-prot has no problem scanning inside un-passworded zips.
If anyone has a better solution (I notice the new f-prot engine scores there
password protected zips as 8, ok, ok when combined with mimedefang) and are
tagged as "Suspicious" when run from command line, but it seems the category
is still "ok" so even running "paranoid" it is not caught by mimedefang and I
was tired of complaints I recieved from stripping ALL zip files.. so:
#-----------------------------------------------------------------------------
# Check for banned files in ZIP files - may add considerable processing time
# Requires Archive::Zip to be up to date.
#
sub aziperror {};
sub filter_bad_zipfile ($) {
my($entity) = @_;
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
Archive::Zip::setErrorHandler(\&aziperror);
if ($zip->read($path) == AZ_OK) {
md_syslog('debug', "Scanning zip file, Path=$path");
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$size = $member->uncompressedSize();
md_syslog('debug', "Scanning zip entry $file, size=$size");
# approx 50Mb siz limit!
if ($size > 50e6) {
md_graphdefang_log('Archive member too big ', $file,
$RelayAddr);
action_discard();
return;
}
if ($member->isEncrypted()) {
md_syslog('debug', "scanning Encrypted ZIP member $file");
my($bad_exts, $re);
# Bad extensions
$bad_exts
= '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|ht
o|inf|ini|ins|isp|jse?
|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|ur
l|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
if (lc($file) =~ $re) {
md_graphdefang_log('bad_file', "$file found in ecncrypted
ZIP file", $RelayAddr);
action_notify_administrator("A file called $file was
detected in an encrypted ZIP file attached to an incoming e-mail -
quarantined.\n");
action_quarantine_entire_message("An encrypted ZIP
attachment containing $file was removed from this document as it\nconstituted
a security hazard. If you require this document, please
contact\n$AdminAddress to arrange for it to be released.\n");
action_discard();
return;
}
md_syslog('warning', "Encrypted file $file");
}
}
} else {
# do something with broken .zip files (eg. discard)
action_quarantine_entire_message("broken zip");
md_graphdefang_log('bad_file', 'broken zip', $RelayAddr);
action_discard();
}
}
#-----------------------------------------------------------------------------
and call it right below filter_bad_filename in filter and filter_end (or from
filter_bad_filename if you are using this sub still) like so:
if (lc($ext) =~ /\.zip$/) {
&filter_bad_zipfile($entity);
}
James Ebright
ESISNET, LLC
www.esisnet.com
--
EsisNet.com Webmail Client
More information about the MIMEDefang
mailing list