Re: [Clamav-users] Password Protected ZIP Files
Dennis Peterson wrote: > In my environment I use a milter to call clamav and it allows me to skip av > testing based on several criteria including To: and From: addresses. > Perhaps you have something similar. We are using Zimbra, I am not sure if there is a way to specify to skip av scan from a specific address... If anybody else is using Zimbra and has run into a simular situation, I would greaty appreciate any assistance on how to "tell" Zimbra to skip av scan if the email is being sent from a specific address. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Password Protected ZIP Files
Donald Johnson wrote: > I have a process which generates a ZIP file and emails it... This file is > REQUIRED to be Password protected. > > The password is the same every time it is generated, and it goes to the same > recipients each time... > > I really don't want to turn off the feature to block Encrypted ZIP files... > > Is there a way to tell ClamAV what password to try on the ZIP file? > If not, could there be a consideration of adding the feature? In my environment I use a milter to call clamav and it allows me to skip av testing based on several criteria including To: and From: addresses. Perhaps you have something similar. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Password Protected ZIP Files
>I have a process which generates a ZIP file and emails it... This file is >REQUIRED to be Password protected. >The password is the same every time it is generated, and it goes to the same >recipients each time... >I really don't want to turn off the feature to block Encrypted ZIP files... >Is there a way to tell ClamAV what password to try on the ZIP file? >If not, could there be a consideration of adding the feature? Would it not just be easier to instruct your mail server not to pass the email through Clamav? I guess from your reference to "Block Encrypted ZIP files" that you might be using MailScanner. If this is the case, post on the MailScanner list, and someone will help you create a ruleset if you're having problems. HTH, Best Regards, Richard Garner (A+, N+, AMBCS, MOS-O) All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Password Protected ZIP Files
I have a process which generates a ZIP file and emails it... This file is REQUIRED to be Password protected. The password is the same every time it is generated, and it goes to the same recipients each time... I really don't want to turn off the feature to block Encrypted ZIP files... Is there a way to tell ClamAV what password to try on the ZIP file? If not, could there be a consideration of adding the feature? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] password protected zip files
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Friday 18 June 2004 10:46, Tomasz Kojm wrote: > In your original post you mentioned a problem with detection of the test > #12 from testvirus.org. I consider this particular test (encrypted eicar > test file) rather useless and stupefying and would suggest to ignore it. Okay. I have enough stupefying things I can't ignore, so I appreciate being able to ignore this one. ;-) - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC == In a perfect world there would be no lawyers. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA0zCso0pgX8xyW4YRAwCjAJ9I1wjWoAJPUW2GWFpx79ElPqGW6wCfUNqs sIqg+Fx1lh47YUw/rbQGTkc= =ItII -END PGP SIGNATURE- --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
On Fri, 18 Jun 2004 08:31:55 -0700 Robin Lynn Frank <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: RIPEMD160 > > On Friday 18 June 2004 04:25, Tomasz Kojm wrote: > > ClamAV is > > able to detect it (in contrast to many commercial scanners) and > > there's no need to reeject all encrypted files. > > If you note my original post, password-protected zips were getting by > on a box with 0.73/clamdscan/clamassassin1.1.0/maildrop/postfix. > In your original post you mentioned a problem with detection of the test #12 from testvirus.org. I consider this particular test (encrypted eicar test file) rather useless and stupefying and would suggest to ignore it. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Jun 18 19:41:22 CEST 2004 pgpHaTpqo5cj4.pgp Description: PGP signature
Re: [Clamav-users] password protected zip files
> On Thursday 17 June 2004 18:01, Matt wrote: > > #ArchiveDetectEncrypted > > > Hmm, my config file had #ArchiveBlockEncrypted > > I uncommented it and restarted clamd, but I wonder which is the correct one? > - -- I could be wrong, but I think the later versions still accept the older syntax, so either should work. My conf file is from a few versions back. Matt --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Friday 18 June 2004 04:25, Tomasz Kojm wrote: > ClamAV is > able to detect it (in contrast to many commercial scanners) and there's > no need to reeject all encrypted files. If you note my original post, password-protected zips were getting by on a box with 0.73/clamdscan/clamassassin1.1.0/maildrop/postfix. On another machine invoking clamdscan via amavisd-new, password-protected zips were caught. Therefor, until I can correct the problem, my only alternative is to block all password-protected zips (not that this is a real burden). - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC == In a perfect world, there would be no crying babies in theaters. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA0wr3o0pgX8xyW4YRA6q3AKCKaWpMfg0wlCInrSBye0oawPu+LwCfYqeh dJU3616UoZf9+FrFykLC3yI= =dwN/ -END PGP SIGNATURE- --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Friday 18 June 2004 01:12, Simon Fishley wrote: > -Original Message- > From: Robin Lynn Frank [mailto:[EMAIL PROTECTED] > Sent: 18 June 2004 02:48 AM > To: [EMAIL PROTECTED] > Subject: [Clamav-users] password protected zip files > > > emails with the eicar test virus in password protected zip files were not > > caught. > > ___SNIP > > When you think about it though - does it really matter if you don't stop a > virus in an encrypted archive file? Unless the recipient knows the > password there is very little risk of damage. Not a very successful way of > getting a virus to propagate is it? Unless the body of the message > includes the password and the recipients does open the file. IMHO they > deserve to be infected then :) > The password is included in the body of the email. The luser takes the bait, uses the password to extract the archive. You have no idea how dumb people can be! Welcome to the real world. - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC == /dev/null campaign against unwanted email. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA0wgHo0pgX8xyW4YRA0+hAKDKxN94bN/M3lyWgmmRW1TrrzdvBwCfc/QX jbQrHrkFy9/D5SpIiwnCdYU= =kxJj -END PGP SIGNATURE- --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
On Fri, 18 Jun 2004 09:25:31 +0100 Antony Stone <[EMAIL PROTECTED]> wrote: > On Friday 18 June 2004 9:12 am, Simon Fishley wrote: > > > When you think about it though - does it really matter if you don't > > stop a virus in an encrypted archive file? Unless the recipient > > knows the password there is very little risk of damage. Not a very > > successful way of getting a virus to propagate is it? Unless the > > body of the message includes the password and the recipients does > > open the file. IMHO they deserve to be infected then :) > > Something tells me you haven't seen how effective the NetSky / > SomeFool virus was It was Bagle and not NetSky propagating in encrypted archives. ClamAV is able to detect it (in contrast to many commercial scanners) and there's no need to reeject all encrypted files. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Jun 18 13:15:48 CEST 2004 pgpU5wnMZUGXE.pgp Description: PGP signature
Re: [Clamav-users] password protected zip files
On Friday 18 June 2004 9:12 am, Simon Fishley wrote: > When you think about it though - does it really matter if you don't stop a > virus in an encrypted archive file? Unless the recipient knows the > password there is very little risk of damage. Not a very successful way of > getting a virus to propagate is it? Unless the body of the message > includes the password and the recipients does open the file. IMHO they > deserve to be infected then :) Something tells me you haven't seen how effective the NetSky / SomeFool virus was If we could rely on the argument "you (user) did something stupid, therefore this problem is your fault", then around 80% of IT support and security staff could probably go home immediately. Regards, Antony. -- "The future is already here. It's just not evenly distributed yet." - William Gibson Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
On Friday 18 June 2004 03:12 am, Simon Fishley wrote: > When you think about it though - does it really matter if you don't stop a > virus in an encrypted archive file? Unless the recipient knows the > password there is very little risk of damage. Not a very successful way of > getting a virus to propagate is it? Unless the body of the message > includes the password and the recipients does open the file. IMHO they > deserve to be infected then :) err... what hole have you been living in? There have been several virii that use this very method of attacking to propogate and they were very successful. The stupid shit people will do if you tell them to is simply amazing. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password protected zip files
-Original Message- From: Robin Lynn Frank [mailto:[EMAIL PROTECTED] Sent: 18 June 2004 02:48 AM To: [EMAIL PROTECTED] Subject: [Clamav-users] password protected zip files > emails with the eicar test virus in password protected zip files were not caught. ___SNIP When you think about it though - does it really matter if you don't stop a virus in an encrypted archive file? Unless the recipient knows the password there is very little risk of damage. Not a very successful way of getting a virus to propagate is it? Unless the body of the message includes the password and the recipients does open the file. IMHO they deserve to be infected then :) --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Thursday 17 June 2004 18:01, Matt wrote: > #ArchiveDetectEncrypted Hmm, my config file had #ArchiveBlockEncrypted I uncommented it and restarted clamd, but I wonder which is the correct one? - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC == No space left in message for a signature. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA0kgro0pgX8xyW4YRA7P2AJ9NHrrqlCPpZWShCSlWXOw1gD01NQCdFXlO Aa+9N+DI4RVYLoqLIZgiUlQ= =Rk9v -END PGP SIGNATURE- --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip files
> > I have 0.73 installed with clamdscan being called from maildrop via > ClamAssassin 1.1.0 I ran the tests on testvirus.org and noted that the > emails with the eicar test virus in password protected zip files were not > caught. (I have anomy as a second line of defense and it nails the zip files > if they get by clamdscan.) > > > Anyone with ideas as to how I can fix this? > - -- There is the following option in clamav.conf for those. # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). #ArchiveDetectEncrypted Matt --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] password protected zip files
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I have 0.73 installed with clamdscan being called from maildrop via ClamAssassin 1.1.0 I ran the tests on testvirus.org and noted that the emails with the eicar test virus in password protected zip files were not caught. (I have anomy as a second line of defense and it nails the zip files if they get by clamdscan.) Subject: Virus Scanner Test #12 X-Virus-Status: No X-Virus-Checker-Version: ClamAssassin 1.1.0 with clamdscan / ClamAV version 0.73 Anyone with ideas as to how I can fix this? - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC == Under Marxism, labor is not rewarded for producing. Under Capitalism, business is rewarded for not producing. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA0jvEo0pgX8xyW4YRA17aAKDCIJZI5B+H08b/aOtIKVHCQCQS/ACbBG1t DKAdG41Rm3Vjt7p6BsFKweQ= =n+OR -END PGP SIGNATURE- --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users