[Mimedefang] clamav

[Kelson]

-ray wrote:
> Notice lots and lots of spaces in the filename to fool users into 
> thinking it's a .txt file.  Has anyone coded a MD rule to check for more 
> than say 10 consequtive spaces in a filename in a zip file?  Should be 
> pretty simple, just haven't had time to look at it yet...

I had a couple slip through the other day.  They pretended to be JPEGs 
instead of text files, and by the time I checked them ClamAV recognized 
it as Trojan.Goldun.something.

In our case, MD caught it with bad_filename and Archive::ZIP because it 
spotted the .exe at the end of the filename.

If you have Archive::ZIP and a current version of MIMEDefang, the 
example filter should pick these up.  The relevant section is in 
filter_bad_filename.  Adding the space check is probably a matter of 
editing $re in that same function, or doing a second call to re_match 
and/or re_match_in_zip_directory.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>