[Mimedefang] Zip --> Zip --> PIF
corliss at digitalmages.com
Fri Feb 18 19:11:06 EST 2005
On Fri, 18 Feb 2005, David Eisner wrote:
> I'm not suggesting the behavior of Mimedefang is wrong, I just want to
> make sure I understand what it's doing.
> The problem is that in general there is a delay between the time a virus
> outbreak occurs, and the time that virus scanners have updated DATs that
> detect it. That's one of the great things about Mimedefang -- it
> removes the potentially harmful attachment during this window.
> In our case, we're using McAfee Virusscan. Oddly, it still doesn't
> detect this worm.
Gotcha, you're worried less about the scanning bit then you are about the
dangerous/banned attachment bit. In that case, you have a valid concern.
Personally, I'll still leave that in the hands of the user. My greatest
concern with executable types is those exploits that can auto-execute due to
unsafe scripting in HTMLified clients. A zip file shouldn't be able to be
used as such a payload, so if people are opening files *within* archives from
strangers, they shouldn't be using computers. ;-)
If a recursive unarchiving happens within mimedefang in the future (and I
don't think this should be the default action) there should be a configurable
recursion limit to prevent DoS attacks.
Bolverk's Lair -- http://arthur.corlissfamily.org/
Digital Mages -- http://www.digitalmages.com/
"Live Free or Die, the Only Way to Live" -- NH State Motto
More information about the MIMEDefang