Noel Jones wrote: > > Hmm, just tested it here, didn't catch it for me either. I could have > sworn this worked before... > > Ah, here's the problem... > # file test_document_with_EXE.doc > test_document_with_EXE.doc: Microsoft Installer > > Eh??? Sure enough, file(1) reports all .doc files I tested (even > without embedded stuff) as "Microsoft Installer". > for me, I see all doc files as... well, doc files. (these are the two test cases I linked to earlier) Noel: can you check these two files? is this REALLY a word document? (the original WAS a real word document), with an embedded 'package'.
this is the original virus: http://www.secnap.com/downloads/virus.eml: file -i Proforma_Invoice.doc Proforma_Invoice.doc: application/msword file Proforma_Invoice.doc Proforma_Invoice.doc: Microsoft Office Document this is the one I made in word today (without a real virus, but has an embedded .exe) http://www.secnap.com/downloads/withdoc.eml file -i this* this is a openvpn gui.doc: application/msword > (file-4.21 from FreeBSD ports) > > Quick edit to /usr/local/sbin/amavisd... > --- amavisd.2.5.1 Fri Jun 15 18:02:10 2007 > +++ amavisd Fri Jun 15 18:07:31 2007 > @@ -983,4 +983,5 @@ > [qr/^Rich Text Format data\b/ => 'rtf'], > [qr/^Microsoft Office Document\b/i => 'doc'], # OLE2: doc, ppt, > xls, ... > + [qr/^Microsoft Installer\b/i => 'doc'], # OLE2: doc, ppt, xls, ... > [qr/^ms-windows meta(file|font)\b/i => 'wmf'], > [qr/^LaTeX\b.*\bdocument text\b/ => 'lat'], > > And now it blocks it... > Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1 Content-Type: > multipart/mixed > Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1 > Content-Type: text/plain, size: 14 B, name: > Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2 > Content-Type: application/msword, size: 216576 B, name: > test_document_with_EXE.doc > Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path BANNED:1 > [EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed | > P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with_EXE.doc | > P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe", > matching_key="(?-xism:^\\.(exe-ms|dll)$)" > > _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/