subject:"\[AMaViS\-user\] Allowing exe files in zip format"

AW: AW: AW: [AMaViS-user] Allowing exe files in zip format

2006-04-03 Thread Miro Dietiker, MD Systems

Strange:

  But as I see now, if I add:
  $banned_filename_re = new_RE(
  ...
   [ qr'^\.(rpm|cpio|tar)$'   = 0 ],  # allow any in Unix-type
  archives
   [ qr'^\.(gz)$'= 0],   # allow gzipped
   [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such 
  archives  [ qr'^\.(smp)$'= 0 ], # allow Supermailer file
 
  not only forbidden exefiles (within banned_filename_re) are passed, 
  but also complete virus check is being passed?!
 
 Banning (or allowing certain files to pass through banned checks) does

 not affect virus scanning.

Before activating the banned_re as described below, a eicar.zip has been
detected as a virus properly (OK, due to BANNED NAME). Now after the
activation of the banned_re, eicar.zip passes with no warning. Sure, a
eicar.com is being removed due to banned_re (.com)

But also if I send a VIRUS file with changed extension:
The message WILL NOT BE delivered to:
Scanner detecting a virus: Clam Antivirus-clamd
...
   550 5.7.1 Message content rejected, id=23377-09 - VIRUS:
Trojan.PSW.Snitch.11
...
Virus scanner output:
   /var/lib/amavis/amavis-20060403T123355-23377/parts/part-2:
Trojan.PSW.Snitch.11 FOUND

And if I do a zip in this file and send ist, it isn't being detected
anymore

What's wrong here?!

Miro Dietiker

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Allowing exe files in zip format

2006-04-03 Thread Mark Martinec

Miro,

 And if I do a zip in this file and send ist, it isn't being detected
 anymore

Either your zip decoding doesn't work, or your file(1) utility
doesn recognize a zip, or it isn't a zip at all.

Turn up log level and see how mail decoding works.

  Mark


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] Allowing exe files in zip format

2006-04-03 Thread Miro Dietiker, MD Systems

Oh..

  And if I do a zip in this file and send ist, it isn't being detected
  anymore
 
 Either your zip decoding doesn't work, or your file(1) utility
 doesn recognize a zip, or it isn't a zip at all.

You're right, amavis doesn't unzip correctly (or even don't try to?):

tiger:~# file a.zip
a.zip: Zip archive data, at least v1.0 to extract

On start, amavisd-new reports:
amavisd-new[14469]: Module Archive::Zip

But on debug, no extraction happens
Apr  3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Extracting
mime components
..
Apr  3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01)
mime_decode: Content-type: application/octet-stream, name: eicar.zip
Apr  3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Charging 0
bytes to remaining quota 1094711 (out of 1095000, (0%)) - by mime_decode
..

My complete log:  http://dev.rootnet.ch/amavisd-new-debug.log
My complete conf: http://dev.rootnet.ch/amavisd.conf
(mostly debian sarge preset with some minimal extensions)

In amavisd.conf: no entry for any 'zip'
But as of the docs (/usr/share/doc/amavisd-new) and some googling, I
couldn't find how to configure..

I Kindly ask you to give me a hint :-)

Thanks - Miro




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: AW: [AMaViS-user] Allowing exe files in zip format

2006-04-03 Thread Mark Martinec

Miro,

  Either your zip decoding doesn't work, or your file(1) utility
  doesn recognize a zip, or it isn't a zip at all.

 You're right, amavis doesn't unzip correctly (or even don't try to?):

No, it is not a zip at all in your case.

 My complete log:  http://dev.rootnet.ch/amavisd-new-debug.log

(14600-01) mime_decode: Content-type: text/plain, name: 
(14600-01) Charging 291 bytes to remaining quota 1099000 ...- by mime_decode
(14600-01) mime_decode: Content-type: application/octet-stream,
  name: eicar.zip
(14600-01) Charging 0 bytes to remaining quota 1098709 ...- by mime_decode

(14600-01) run_command: [14608] /usr/bin/file .../parts/part-1 
(14600-01) File-type of part-1: ASCII text; (.asc)
(14600-01) run_command: [14609]... parts/part-2 
(14600-01) File-type of part-2: empty; (.empty)

Your second MIME part is empty.

It bears a Content-type: application/octet-stream,name:eicar.zip,
but there is no content, zero bytes there.

  Mark


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: AW: [AMaViS-user] Allowing exe files in zip format

2006-04-03 Thread Miro Dietiker, MD Systems

How right you are!

 (14600-01) run_command: [14609]... parts/part-2
 (14600-01) File-type of part-2: empty; (.empty)
 
 Your second MIME part is empty.
 
 It bears a Content-type: application/octet-stream,name:eicar.zip,
 but there is no content, zero bytes there.

My local antivirus has removed the file without asking (even that I
deactivated it - but that's another topic) *%/%/ç%*
...'magic' applications...

Sure the system works properly and unpacks zips perfectly :-)

Thanks a lot - Miro




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: AW: AW: [AMaViS-user] Allowing exe files in zip format

2006-04-01 Thread Gary V

MD wrote:
 But as I see now, if I add:
 $banned_filename_re = new_RE(
 ...
  [ qr'^\.(rpm|cpio|tar)$'   = 0 ],  # allow any in Unix-type
 archives
  [ qr'^\.(gz)$'= 0],   # allow gzipped
  [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such
 archives
  [ qr'^\.(smp)$'= 0 ], # allow Supermailer file

 not only forbidden exefiles (within banned_filename_re) are passed, but
 also complete virus check is being passed?!

Banning (or allowing certain files to pass through banned checks) does not
affect virus scanning.

http://www.ijs.si/software/amavisd/amavisd-new-docs.html#actions

Gary V



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] Allowing exe files in zip format

2005-12-28 Thread MJ


Hi,
I am running postfix 2.2.4 on Solaris 8 with amavisd-new.2.3.2,
SpamAssassin 3.1.0 and Clamav 0.8.7.1 as an AV/AS gateway to my main
email system. We want our users to be able to send exe files in compress
form (.zip) how can I configure amavisd not to bann exe files in zip
format.

Thanks,
MJ




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] Allowing exe files in zip format

2005-12-28 Thread Miro Dietiker, MD Systems

This one would interest me too ...
Which var did you passed this option? May you pass the paragraph here?

In my debian amavisd.conf is no such uncommentable line.

Thanks!

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von MJ
Gesendet: Mittwoch, 28. Dezember 2005 15:55
An: amavis-user@lists.sourceforge.net
Betreff: RE: [AMaViS-user] Allowing exe files in zip format

Hi,

Got it. I uncommented the following line in /etc/amavisd.conf and it
solved my problem.

[ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such archives

Thanks,

MJ







---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

RE: [AMaViS-user] Allowing exe files in zip format

2005-12-28 Thread MJ


This one would interest me too ...
Which var did you passed this option? May you pass the paragraph here?

In my debian amavisd.conf is no such uncommentable line.

I am using amavisd-new.2.3.2 and by default it has commented line under
$banned_filename_re  paragraph, I just uncommented. Here is the
paragraph
MJ
--
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
 
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i,  # Class ID extensions -
CLSID

  qr'^application/x-msdownload$'i,  # block these MIME
types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i, # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# [ qr'^\.(Z|gz|bz2)$'   = 0 ],  # allow any in Unix-compressed
  [ qr'^\.(rpm|cpio|tar)$'   = 0 ],  # allow any in Unix-type
archives
  [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such
archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
#
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip
vulnerab.

  qr'^\.(exe-ms)$',   # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
);

--




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Allowing exe files in zip format

2005-12-28 Thread Clifton Royston

On Wed, Dec 28, 2005 at 05:10:06PM +0100, Miro Dietiker, MD Systems wrote:
 I am using amavisd-new.2.3.2 and by default it has commented line under
 $banned_filename_re  paragraph, I just uncommented. Here is the
 paragraph
 MJ
 
 Huh ... i tried to resolve my exact version but amavisd-new supports no
 -V and my debian says no such version string, just Version:
 20030616p10-5

  You have quite an old version of amavisd-new (over 2 years out of
date, as the version indicates.) It will work OK, but you might
consider upgrading.  The version you run is missing many newer
features, and an upgrade might be required to use newest versions of
SpamAssassin; I forget.

  -- Clifton

-- 
Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
   President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: AW: [AMaViS-user] Allowing exe files in zip format

2005-12-28 Thread Gary V

MD wrote:

 Hmm ... i like mainstream packages where ever possible, but you're
 right, two years of outdating sounds a little obsolete..
 For next days this version will remain, but I'm thinking of upgrading
 to a more recent version.
 I also use sa from debian sarge (SA version 3.0.3 with perl 5.8.4, which
 works perfectly for me) or do you think this is outdated too that much?

Version 3.1 works slower on my system, but it seems to catch a little
more spam. If you upgrade to 3.1 you should consider moving Bayes to
MySQL (if you have not already done so and if you have enough memory).
Here is a document that may help there if this interests you:
http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html

If you like, you can install spamassassin 3.1 from 'testing'
provided you have configured a testing source in /etc/apt/sources.list
and set priorities in /etc/apt/preferences.
http://jaqque.sbih.org/kplug/apt-pinning.html

 With my settings (no user defined big config tables), amavisd-new uses
 40MB and does a double-prefork (resulting in 120MB memory usage)..
 Is this also better with newer Versions - or even worse?
 Miro

A little worse for memory usage.
I have a document that may give you some ideas when you upgrade:
http://www200.pair.com/mecham/spam/upgrade-amavis.html

Here is my amavisd-new memory usage (version 2.3.3, spamassassin 3.1):
Mem:385624k total,   325060k used,60564k free,50268k buffers
Swap:  1951856k total, 2184k used,  1949672k free,   137956k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
19600 amavis 9   0 51300  50m  47m S  0.0 13.3   0:00.02 amavisd-new
19599 amavis 9   0 51296  50m  47m S  0.0 13.3   0:00.04 amavisd-new
19595 amavis 9   0 51204  49m  47m S  0.0 13.3   0:05.26 amavisd-new

Gary V



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: AW: AW: [AMaViS-user] Allowing exe files in zip format

Re: [AMaViS-user] Allowing exe files in zip format

AW: [AMaViS-user] Allowing exe files in zip format

Re: AW: [AMaViS-user] Allowing exe files in zip format

AW: AW: [AMaViS-user] Allowing exe files in zip format

Re: AW: AW: [AMaViS-user] Allowing exe files in zip format

[AMaViS-user] Allowing exe files in zip format

AW: [AMaViS-user] Allowing exe files in zip format

RE: [AMaViS-user] Allowing exe files in zip format

Re: [AMaViS-user] Allowing exe files in zip format

Re: AW: [AMaViS-user] Allowing exe files in zip format

11 matches

Site Navigation

Mail list logo

Footer information