In a previous message Dave O'Neill suggested using Archive::Zip instead of "unzip | wc -c" which I had proposed. It seemed like a better idea so I rewrote my filter code as per his suggestion. To use it you have to install the Archive::Zip Perl module and add the line "use Archive::Zip;" to mimedefang-filter. I suppose it could go anywhere but I added it near the top, and in "filter" I have
# Check for possible novarg/mydoom virus if (lc($ext) =~ /(bat|cmd|exe|pif|scr|zip)/) { my $path = $entity->bodyhandle->path; my $size = (stat($entity->bodyhandle->path))[7]; if (lc($ext) =~ /zip/ && $size < 30000) { my $zip = Archive::Zip->new(); if ($zip->read($path) == AZ_OK) { my @members = $zip->members(); foreach my $member (@members) { my $file = $member->fileName(); next if lc($file) !~ /(bat|cmd|exe|pif|scr)/; $size = $member->uncompressedSize(); last if $size >= 22528 && $size <= 22530; } } } if ($size >= 22528 && $size <= 22530) { md_graphdefang_log('virus',"Novarg/Mydoom $fname"); return action_discard(); } elsif ($size >= 22000 && $size <= 24000) { action_quarantine($entity, "Might be the Novarg/Mydoom virus"); md_graphdefang_log('virus',"Novarg/Mydoom $fname $size"); return action_bounce("$fname might be a virus - change the name and resend"); } } - rick On Tue, 27 Jan 2004, Dave O'Neill wrote: > David F. Skoll wrote: > > > Just check if the unzipped file has any .exe, .pif, etc. in it. This > > is more reliable and future-proof than testing for a specific size. > > Using the Archive::Zip module from CPAN could be an even better idea if > we want to avoid the fork/exec and shell pipeline. I think it should be > as simple as (warning, completely untested): > > use Archive::Zip; > > my $zip = Archive::Zip->new(); > if( $zip->read($entity->bodyhandle->path) == AZ_OK ) { > # It's a valid zip > my @members = $zip->members(); > foreach my $member (@members) { > my $size = $member->uncompressedSize(); > my $file = $member->fileName(); > # Now, test for file extension and/or bad file sizes > } > } > > Cheers, > Dave > -- > Dave O'Neill <[EMAIL PROTECTED]> Roaring Penguin Software Inc. > +1 (613) 231-6599 ext. 104 http://www.roaringpenguin.com/ > > _______________________________________________ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang