[Mimedefang] My solution to F-prot and encrypted zip files

James Ebright jebright at esisnet.com
Thu Mar 11 13:07:33 EST 2004 

This is gleamed from source I have seen here and elsewhere on the net. I do 
not scan inside zips twice so no File::Scan needed for this to work. 
Basically f-prot has no problem scanning inside un-passworded zips.

If anyone has a better solution (I notice the new f-prot engine scores there 
password protected zips as 8, ok, ok when combined with mimedefang) and are 
tagged as "Suspicious" when run from command line, but it seems the category 
is still "ok" so even running "paranoid" it is not caught by mimedefang and I 
was tired of complaints I recieved from stripping ALL zip files.. so:

#-----------------------------------------------------------------------------
# Check for banned files in ZIP files - may add considerable processing time
# Requires Archive::Zip to be up to date.
#
sub aziperror {};
sub filter_bad_zipfile ($) {
    my($entity) = @_;
    my $path = $entity->bodyhandle->path;
    my $zip = Archive::Zip->new();
    Archive::Zip::setErrorHandler(\&aziperror);
    if ($zip->read($path) == AZ_OK) {
        md_syslog('debug', "Scanning zip file, Path=$path");
        my $tfname = Archive::Zip::tempFileName('.');
        my @members = $zip->members();
        foreach my $member (@members) {
            my $file = $member->fileName();
            $size = $member->uncompressedSize();
            md_syslog('debug', "Scanning zip entry $file, size=$size");
            # approx 50Mb siz limit!
            if ($size > 50e6) {
                md_graphdefang_log('Archive member too big ', $file, 
$RelayAddr);
                action_discard();
                return;
            }
            if ($member->isEncrypted()) {
                md_syslog('debug', "scanning Encrypted ZIP member $file");
                my($bad_exts, $re);
                # Bad extensions
                $bad_exts 
= '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|ht
o|inf|ini|ins|isp|jse?
|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|ur
l|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
                $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
                if (lc($file) =~ $re) {
                    md_graphdefang_log('bad_file', "$file found in ecncrypted 
ZIP file", $RelayAddr);
                    action_notify_administrator("A file called $file was 
detected in an encrypted ZIP file attached to an incoming e-mail - 
quarantined.\n");
                    action_quarantine_entire_message("An encrypted ZIP 
attachment containing $file was removed from this document as it\nconstituted 
a security hazard.  If you require this document, please 
contact\n$AdminAddress to arrange for it to be released.\n");
                    action_discard();
                    return;
                }
                md_syslog('warning', "Encrypted file $file");
            }
        }
    } else {
        # do something with broken .zip files (eg. discard)
        action_quarantine_entire_message("broken zip");
        md_graphdefang_log('bad_file', 'broken zip', $RelayAddr);
        action_discard();
    }
}
#-----------------------------------------------------------------------------


and call it right below filter_bad_filename in filter and filter_end (or from 
filter_bad_filename if you are using this sub still) like so:

    if (lc($ext) =~ /\.zip$/) {
        &filter_bad_zipfile($entity);
    }


James Ebright
ESISNET, LLC
www.esisnet.com

--
EsisNet.com Webmail Client

More information about the MIMEDefang mailing list