RE: Virus scanning (was RE: Matchers & X Window)
> After reading your http://www.alaska.net/~royce/pub/solaris/MAGIC > link I see what it is all about. For those who don't understand, yet, this might help: http://www.halley.cc/ed/linux/newcomer/filename.html > is there any formal or informal organization that keeps a list > like that up to date? Christos Zoulas (christos astron com) is the current maintainer. The latest code is available from ftp://ftp.astron.com/pub/file. > 1) Should a mailet or a matcher like IsInfected scan everything or not. > if the A/V program like MCAfee's Virusscan allows the user to choose > whether or not scan everything or just "dangerous" extensions or > choosen extensions, it is up to the user. Agreed. But as Danny says, if there were a virus scanner as part of the James distribution, the default should be as strict as possible. I suggest that you consider doing the same in your examples, although hopefully your legal liability is limited in Italy. > 2) Should it identify "malformations" in a message, including innocent > or "guilty" alterations of the extension / MIME type / magic matching, > but not excluding other checks. > should be done in a kind of IsMalformed matcher or CheckCompliance mailet And can be done in native Java code, if someone does the port, without having to go through the overhead involved in the external anti-virus scan. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Virus scanning (was RE: Matchers & X Window)
> Try telling a Mac-user (or a Unix-user) that he *must* put a > file-extension on the filename ;-) If there isn't an extension, then it doesn't need to match. :-) > As far as I know, only Windows and VMS require a file extension in the > filename. Actually, that's part of the problem. Although the "front end" of Windows cares about extensions, if I recall correctly, the loader only cares about the file format. For example, you could hack the registry to and create a new executable file extension fairly easily. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Virus scanning (was RE: Matchers & X Window)
After reading your http://www.alaska.net/~royce/pub/solaris/MAGIC link I see what it is all about. But is there any formal or informal organization that keeps a list like that up to date? Regarding the discussion on this thread, I think that there are two different issues here: 1) Should a mailet or a matcher like IsInfected scan everything or not. 2) Should it identify "malformations" in a message, including innocent or "guilty" alterations of the extension / MIME type / magic matching, but not excluding other checks. Regarding point 1), as a user I prefer to scan everything, but if the A/V program like MCAfee's Virusscan allows the user to choose whether or not scan everything or just "dangerous" extensions or choosen extensions, it is up to the user. As the matcher/mailet has to offload the attachment to a directory to have the A/V do that, having it look at the extension is only a matter of performance (why offload a JPEG if later on I ask the A/V to ignore it?). Currently IsInfected offloads everything and what to do is left to the command line string passed to the A/V, so I think it is safe and could be made more performing. Point 2) instead should be done in a kind of IsMalformed matcher or CheckCompliance mailet, whose outcome can be used in config.xml to take an appropriate action. As its operation could require an overhead already used in the IsInfected or equivalent matcher or mailet, it is again only a matter of performance doing such work only once while scanning for viruses. Vincenzo > -Original Message- > From: Vincenzo Gianferrari Pini > [mailto:[EMAIL PROTECTED] > Sent: domenica 22 giugno 2003 10.23 > To: James Users List > Subject: RE: Virus scanning (was RE: Matchers & X Window) > > > This "magic number" topic is quite new to me :-) > > I've looked aroung with Google, but didn't find any link really > explaining what it's all about. Do you have any good one to suggest? > > Thanks, > > Vincenzo > > > -Original Message- > > From: Noel J. Bergman [mailto:[EMAIL PROTECTED] > > Sent: domenica 22 giugno 2003 1.01 > > To: James Users List > > Subject: RE: Virus scanning (was RE: Matchers & X Window) > > > > > > > > I would check MIME type, file extension, and most importantly the > > > > magic, to make sure that they all match. Any failure to match > > > > would be suspect, regardless of what the A/V program says. I > > > > think you misunderstood my earlier point. > > > > > In truth I must have done, I *still* wouldn't like to trust that those > > > things weren't being hijacked though, even the magic. > > > > Exactly. So if an attachment has MIME type T then it should have > > one of the > > known extensions for MIME type T and it should have the correct > > magic. That > > way if an attachment claims to be MIME type "image/jpeg", then it > > must have > > an extension of .jpeg, jpg or jpe, AND have a magic value of > > 0xFFD8FFE0JFIF0x00. If it has a magic value of something else, e.g., > > 0x7FELF or MZ, then it should be rejected *regardless of the anti-virus > > scan*. A simple set of magic is: > > > > Format Magic > > PNG 0xD3PNG > > GIF GIF89a > > JPEG0xFFD8FFE0JFIF0x00 > > ELF 0x7FELF > > Windows .EXEMZ > > > > /usr/share/[misc/]magic has a collected set to use with the file command > > (Windows users, see: > http://www.alaska.net/~royce/pub/solaris/MAGIC). The > > pertinent aspects of the file command could be re-implemented in Java. > > > > The purpose would be to prevent someone from slipping an > > executable by as a > > non-executable, since most operating systems load by magic, not > > extension or > > MIME type. > > > > --- Noel > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Virus scanning (was RE: Matchers & X Window)
Noel J. Bergman wrote: I would check MIME type, file extension, and most importantly the magic, to make sure that they all match. Any failure to match would be suspect, regardless of what the A/V program says. I think you misunderstood my earlier point. In truth I must have done, I *still* wouldn't like to trust that those things weren't being hijacked though, even the magic. Exactly. So if an attachment has MIME type T then it should have one of the known extensions for MIME type T and it should have the correct magic. That way if an attachment claims to be MIME type "image/jpeg", then it must have an extension of .jpeg, jpg or jpe, [snip] Try telling a Mac-user (or a Unix-user) that he *must* put a file-extension on the filename ;-) As far as I know, only Windows and VMS require a file extension in the filename. But I think we are all talking about the same thing, all parts have to be scanned, and a general mailet should not (even cannot) have any knowledge of the specifics of it. /tobe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Virus scanning (was RE: Matchers & X Window)
This "magic number" topic is quite new to me :-) I've looked aroung with Google, but didn't find any link really explaining what it's all about. Do you have any good one to suggest? Thanks, Vincenzo > -Original Message- > From: Noel J. Bergman [mailto:[EMAIL PROTECTED] > Sent: domenica 22 giugno 2003 1.01 > To: James Users List > Subject: RE: Virus scanning (was RE: Matchers & X Window) > > > > > I would check MIME type, file extension, and most importantly the > > > magic, to make sure that they all match. Any failure to match > > > would be suspect, regardless of what the A/V program says. I > > > think you misunderstood my earlier point. > > > In truth I must have done, I *still* wouldn't like to trust that those > > things weren't being hijacked though, even the magic. > > Exactly. So if an attachment has MIME type T then it should have > one of the > known extensions for MIME type T and it should have the correct > magic. That > way if an attachment claims to be MIME type "image/jpeg", then it > must have > an extension of .jpeg, jpg or jpe, AND have a magic value of > 0xFFD8FFE0JFIF0x00. If it has a magic value of something else, e.g., > 0x7FELF or MZ, then it should be rejected *regardless of the anti-virus > scan*. A simple set of magic is: > > Format Magic > PNG 0xD3PNG > GIF GIF89a > JPEG0xFFD8FFE0JFIF0x00 > ELF 0x7FELF > Windows .EXEMZ > > /usr/share/[misc/]magic has a collected set to use with the file command > (Windows users, see: http://www.alaska.net/~royce/pub/solaris/MAGIC). The > pertinent aspects of the file command could be re-implemented in Java. > > The purpose would be to prevent someone from slipping an > executable by as a > non-executable, since most operating systems load by magic, not > extension or > MIME type. > > --- Noel > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Virus scanning (was RE: Matchers & X Window)
> > I would check MIME type, file extension, and most importantly the > > magic, to make sure that they all match. Any failure to match > > would be suspect, regardless of what the A/V program says. I > > think you misunderstood my earlier point. > In truth I must have done, I *still* wouldn't like to trust that those > things weren't being hijacked though, even the magic. Exactly. So if an attachment has MIME type T then it should have one of the known extensions for MIME type T and it should have the correct magic. That way if an attachment claims to be MIME type "image/jpeg", then it must have an extension of .jpeg, jpg or jpe, AND have a magic value of 0xFFD8FFE0JFIF0x00. If it has a magic value of something else, e.g., 0x7FELF or MZ, then it should be rejected *regardless of the anti-virus scan*. A simple set of magic is: Format Magic PNG 0xD3PNG GIF GIF89a JPEG0xFFD8FFE0JFIF0x00 ELF 0x7FELF Windows .EXEMZ /usr/share/[misc/]magic has a collected set to use with the file command (Windows users, see: http://www.alaska.net/~royce/pub/solaris/MAGIC). The pertinent aspects of the file command could be re-implemented in Java. The purpose would be to prevent someone from slipping an executable by as a non-executable, since most operating systems load by magic, not extension or MIME type. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Virus scanning (was RE: Matchers & X Window)
Noel, Yeah thats exactly the kind of thing, now I think of it. d. > I would check MIME type, file extension, and most importantly the > magic, to > make sure that they all match. Any failure to match would be suspect, > regardless of what the A/V program says. I think you misunderstood my > earlier point. In truth I must have done, I *still* wouldn't like to trust that those things weren't being hijacked though, even the magic. Or I should say that I might take that decision/risk for myself but wouldn't want to release software that contained the assumtion, particularly not anti-virus software. d.
