AW: AW: AW: [AMaViS-user] Allowing exe files in zip format
Strange: But as I see now, if I add: $banned_filename_re = new_RE( ... [ qr'^\.(rpm|cpio|tar)$' = 0 ], # allow any in Unix-type archives [ qr'^\.(gz)$'= 0], # allow gzipped [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ], # allow any within such archives [ qr'^\.(smp)$'= 0 ], # allow Supermailer file not only forbidden exefiles (within banned_filename_re) are passed, but also complete virus check is being passed?! Banning (or allowing certain files to pass through banned checks) does not affect virus scanning. Before activating the banned_re as described below, a eicar.zip has been detected as a virus properly (OK, due to BANNED NAME). Now after the activation of the banned_re, eicar.zip passes with no warning. Sure, a eicar.com is being removed due to banned_re (.com) But also if I send a VIRUS file with changed extension: The message WILL NOT BE delivered to: Scanner detecting a virus: Clam Antivirus-clamd ... 550 5.7.1 Message content rejected, id=23377-09 - VIRUS: Trojan.PSW.Snitch.11 ... Virus scanner output: /var/lib/amavis/amavis-20060403T123355-23377/parts/part-2: Trojan.PSW.Snitch.11 FOUND And if I do a zip in this file and send ist, it isn't being detected anymore What's wrong here?! Miro Dietiker +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Allowing exe files in zip format
Miro, And if I do a zip in this file and send ist, it isn't being detected anymore Either your zip decoding doesn't work, or your file(1) utility doesn recognize a zip, or it isn't a zip at all. Turn up log level and see how mail decoding works. Mark --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] Allowing exe files in zip format
Oh.. And if I do a zip in this file and send ist, it isn't being detected anymore Either your zip decoding doesn't work, or your file(1) utility doesn recognize a zip, or it isn't a zip at all. You're right, amavis doesn't unzip correctly (or even don't try to?): tiger:~# file a.zip a.zip: Zip archive data, at least v1.0 to extract On start, amavisd-new reports: amavisd-new[14469]: Module Archive::Zip But on debug, no extraction happens Apr 3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Extracting mime components .. Apr 3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) mime_decode: Content-type: application/octet-stream, name: eicar.zip Apr 3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Charging 0 bytes to remaining quota 1094711 (out of 1095000, (0%)) - by mime_decode .. My complete log: http://dev.rootnet.ch/amavisd-new-debug.log My complete conf: http://dev.rootnet.ch/amavisd.conf (mostly debian sarge preset with some minimal extensions) In amavisd.conf: no entry for any 'zip' But as of the docs (/usr/share/doc/amavisd-new) and some googling, I couldn't find how to configure.. I Kindly ask you to give me a hint :-) Thanks - Miro --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: AW: [AMaViS-user] Allowing exe files in zip format
Miro, Either your zip decoding doesn't work, or your file(1) utility doesn recognize a zip, or it isn't a zip at all. You're right, amavis doesn't unzip correctly (or even don't try to?): No, it is not a zip at all in your case. My complete log: http://dev.rootnet.ch/amavisd-new-debug.log (14600-01) mime_decode: Content-type: text/plain, name: (14600-01) Charging 291 bytes to remaining quota 1099000 ...- by mime_decode (14600-01) mime_decode: Content-type: application/octet-stream, name: eicar.zip (14600-01) Charging 0 bytes to remaining quota 1098709 ...- by mime_decode (14600-01) run_command: [14608] /usr/bin/file .../parts/part-1 (14600-01) File-type of part-1: ASCII text; (.asc) (14600-01) run_command: [14609]... parts/part-2 (14600-01) File-type of part-2: empty; (.empty) Your second MIME part is empty. It bears a Content-type: application/octet-stream,name:eicar.zip, but there is no content, zero bytes there. Mark --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: AW: [AMaViS-user] Allowing exe files in zip format
How right you are! (14600-01) run_command: [14609]... parts/part-2 (14600-01) File-type of part-2: empty; (.empty) Your second MIME part is empty. It bears a Content-type: application/octet-stream,name:eicar.zip, but there is no content, zero bytes there. My local antivirus has removed the file without asking (even that I deactivated it - but that's another topic) *%/%/ç%* ...'magic' applications... Sure the system works properly and unpacks zips perfectly :-) Thanks a lot - Miro --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: AW: AW: [AMaViS-user] Allowing exe files in zip format
MD wrote: But as I see now, if I add: $banned_filename_re = new_RE( ... [ qr'^\.(rpm|cpio|tar)$' = 0 ], # allow any in Unix-type archives [ qr'^\.(gz)$'= 0], # allow gzipped [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ], # allow any within such archives [ qr'^\.(smp)$'= 0 ], # allow Supermailer file not only forbidden exefiles (within banned_filename_re) are passed, but also complete virus check is being passed?! Banning (or allowing certain files to pass through banned checks) does not affect virus scanning. http://www.ijs.si/software/amavisd/amavisd-new-docs.html#actions Gary V --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Allowing exe files in zip format
Hi, I am running postfix 2.2.4 on Solaris 8 with amavisd-new.2.3.2, SpamAssassin 3.1.0 and Clamav 0.8.7.1 as an AV/AS gateway to my main email system. We want our users to be able to send exe files in compress form (.zip) how can I configure amavisd not to bann exe files in zip format. Thanks, MJ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] Allowing exe files in zip format
This one would interest me too ... Which var did you passed this option? May you pass the paragraph here? In my debian amavisd.conf is no such uncommentable line. Thanks! +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von MJ Gesendet: Mittwoch, 28. Dezember 2005 15:55 An: amavis-user@lists.sourceforge.net Betreff: RE: [AMaViS-user] Allowing exe files in zip format Hi, Got it. I uncommented the following line in /etc/amavisd.conf and it solved my problem. [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ], # allow any within such archives Thanks, MJ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37alloc_id865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
RE: [AMaViS-user] Allowing exe files in zip format
This one would interest me too ... Which var did you passed this option? May you pass the paragraph here? In my debian amavisd.conf is no such uncommentable line. I am using amavisd-new.2.3.2 and by default it has commented line under $banned_filename_re paragraph, I just uncommented. Here is the paragraph MJ -- $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components # block certain double extensions anywhere in the base name qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extensions - CLSID qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # [ qr'^\.(Z|gz|bz2)$' = 0 ], # allow any in Unix-compressed [ qr'^\.(rpm|cpio|tar)$' = 0 ], # allow any in Unix-type archives [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ], # allow any within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| #inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| #ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| #wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); -- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Allowing exe files in zip format
On Wed, Dec 28, 2005 at 05:10:06PM +0100, Miro Dietiker, MD Systems wrote: I am using amavisd-new.2.3.2 and by default it has commented line under $banned_filename_re paragraph, I just uncommented. Here is the paragraph MJ Huh ... i tried to resolve my exact version but amavisd-new supports no -V and my debian says no such version string, just Version: 20030616p10-5 You have quite an old version of amavisd-new (over 2 years out of date, as the version indicates.) It will work OK, but you might consider upgrading. The version you run is missing many newer features, and an upgrade might be required to use newest versions of SpamAssassin; I forget. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: AW: [AMaViS-user] Allowing exe files in zip format
MD wrote: Hmm ... i like mainstream packages where ever possible, but you're right, two years of outdating sounds a little obsolete.. For next days this version will remain, but I'm thinking of upgrading to a more recent version. I also use sa from debian sarge (SA version 3.0.3 with perl 5.8.4, which works perfectly for me) or do you think this is outdated too that much? Version 3.1 works slower on my system, but it seems to catch a little more spam. If you upgrade to 3.1 you should consider moving Bayes to MySQL (if you have not already done so and if you have enough memory). Here is a document that may help there if this interests you: http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html If you like, you can install spamassassin 3.1 from 'testing' provided you have configured a testing source in /etc/apt/sources.list and set priorities in /etc/apt/preferences. http://jaqque.sbih.org/kplug/apt-pinning.html With my settings (no user defined big config tables), amavisd-new uses 40MB and does a double-prefork (resulting in 120MB memory usage).. Is this also better with newer Versions - or even worse? Miro A little worse for memory usage. I have a document that may give you some ideas when you upgrade: http://www200.pair.com/mecham/spam/upgrade-amavis.html Here is my amavisd-new memory usage (version 2.3.3, spamassassin 3.1): Mem:385624k total, 325060k used,60564k free,50268k buffers Swap: 1951856k total, 2184k used, 1949672k free, 137956k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 19600 amavis 9 0 51300 50m 47m S 0.0 13.3 0:00.02 amavisd-new 19599 amavis 9 0 51296 50m 47m S 0.0 13.3 0:00.04 amavisd-new 19595 amavis 9 0 51204 49m 47m S 0.0 13.3 0:05.26 amavisd-new Gary V --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/