[Mimedefang] Block executables in 7Z archive - solution
Tomasz Ostrowski
tometzky at batory.org.pl
Thu Oct 8 07:36:23 EDT 2015
We're getting a lot of trojan executables in 7Z archives lately. Like
this one:
https://www.virustotal.com/pl/file/8f766ccb4821488c8b34abda0d472e627dba6f1d261073852e079c66313a9f11/analysis/
I've added a code to my mimedefang-filter based on
suggested-minimum-filter-for-windows-clients in filter_bad_filename
which tests for this. I'd like to share:
# Look inside 7Z files
if (re_match($entity, '\.7z$') ) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
my($code, $category, $action) =
run_virus_scanner( "7za l -slt -bd -p -y -- $path" );
if ($action ne 'proceed') {
return $code;
}
if ($code) {
return $code;
}
return 1 if $VirusScannerMessages =~ /$re/im;
}
}
}
This requires 7za program (from p7zip package) installed on server. This
will also block 7z archives with encrypted filenames.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
More information about the MIMEDefang
mailing list