Re: [Clamav-users] Rejecting Executables in ZIP Files?
My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? If you really want to block dangerous runnable attachments, create a .zmd file (and you'll need a .rmd file) For example: Sanesecurity.Blocked.Zip.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:* [blocks certain .xxx.exe types, ie. uses double extension to fool users, eg .doc.exe, .jpg.exe] Here's a really quickly put together file (and I'm sure it can be greatly improved on), but if you really want to test it: http://www.sanesecurity.co.uk/clamav/blocked.zmd You'll need to create a .rmd version of this, to block items in .rar files. Totally overkill maybe, but the ClamAV engine can do it :) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Rejecting Executables in ZIP Files?
I have my Postfix email server set to reject .exe files as listed below in 'mime_header_checks' mail:/etc/postfix# cat /etc/postfix/mime_header_checks /filename=\?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\?$/ REJECT For security reasons we reject attachments of this type /^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))?\s*$/ REJECT Attachment type not allowed. File $2 has the unacceptable extension $3 I can see the following in my logs: Oct 14 10:27:35 mail amavis[29316]: (29316-02) ESMTP::10024 /var/lib/amavis/tmp/amavis-20081014T102727-29316: [EMAIL PROTECTED] - [EMAIL PROTECTED] SIZE=5611067 Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for [EMAIL PROTECTED]; Tue, 14 Oct 2008 10:27:35 -0400 (EDT) Oct 14 10:27:37 mail amavis[29316]: (29316-02) p.path BANNED:1 [EMAIL PROTECTED]: P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/zip,T=zip,N=R46202.EXE.zip | P=p004,L=1/2/1,T=exe,T=exe-ms,N=R46202.EXE, matching_key=(?i-xsm:.\\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$) Oct 14 10:27:40 mail amavis[29316]: (29316-02) local delivery: [EMAIL PROTECTED] - banned-quarantine, mbx=/var/lib/amavis/virusmails/banned-hGYdZ1Z2LT6e Basically it appears to scan the zip file I send via email and located the 'R46202.EXE' embedded into the zip file however it still transmits the message rather than rejecting it. I do get the following email relayed to myself as the mail administrator: No viruses were found. Banned name: multipart/mixed | application/zip,.zip,R46202.EXE.zip | .exe,.exe-ms,R46202.EXE Content type: Banned (8,0) Internal reference code for the message is 29316-02/hGYdZ1Z2LT6e First upstream SMTP client IP address: [10.1.1.204] tunafish.example.com According to a 'Received:' trace, the message originated at: [10.1.1.204], [10.1.1.204] (tunafish.example.com [10.1.1.204]) Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Subject: Zip The message has been quarantined as: banned-hGYdZ1Z2LT6e The message WILL BE relayed to: [EMAIL PROTECTED] My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Rejecting Executables in ZIP Files?
On 14.10.08 10:45, Carlos Williams wrote: I have my Postfix email server set to reject .exe files as listed below in 'mime_header_checks' Oct 14 10:27:35 mail amavis[29316]: (29316-02) ESMTP::10024 /var/lib/amavis/tmp/amavis-20081014T102727-29316: [EMAIL PROTECTED] - [EMAIL PROTECTED] SIZE=5611067 Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for [EMAIL PROTECTED]; Tue, 14 Oct 2008 10:27:35 -0400 (EDT) Oct 14 10:27:37 mail amavis[29316]: (29316-02) p.path BANNED:1 [EMAIL PROTECTED]: P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/zip,T=zip,N=R46202.EXE.zip | P=p004,L=1/2/1,T=exe,T=exe-ms,N=R46202.EXE, matching_key=(?i-xsm:.\\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$) Oct 14 10:27:40 mail amavis[29316]: (29316-02) local delivery: [EMAIL PROTECTED] - banned-quarantine, mbx=/var/lib/amavis/virusmails/banned-hGYdZ1Z2LT6e Basically it appears to scan the zip file I send via email and located the 'R46202.EXE' embedded into the zip file however it still transmits the message rather than rejecting it. My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? Basically you are contacting wrong list, try amavis list... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Rejecting Executables in ZIP Files?
Carlos Williams wrote: My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? If you want clamav to recognize exe files within zip files as infected you need to create a custom zmd signature. See http://www.clamav.net/doc/latest/signatures.pdf - paragraph 2.4 Just set the filename field to something like .*\.zip$, encrypted to 0, whatever you like for the virusname and * for the remaining fields. Take care, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml