[Mimedefang] exe in defective zip attachments getting through mimedefang
Hello,
We're getting the standard UPS attachment scam. An exe is inside a zip
file.
Mimedefang catches most of these but it misses a few. I decided to track
one of the few through mimedefang and found out why in mimedefang.pl
if Archive::Zip doesn't return an AZ_OK then mimedefang lets the attachment
through. From what I could find out, if Archive::Zip doesn't return AZ_OK
then there is a problem with the zip file. I'd rather block defective zip
files then let them through. In the code below, I substituted return 0;
with else { return 1; } and that solved my problem. Now good zips still
go through, zips with exe's get replaced with warning, and defective (hacked
I'm assuming) get replaced with warnings too. I'm surprised that standard
procedure is to let defective zips through. Or am I understanding this
wrong?
Thanks, Cliff
sub re_match_in_zip_directory ($$) {
my($zipname, $regexp) = @_;
unless ($Features{Archive::Zip}) {
md_syslog('err', $MsgID: Attempted to use
re_match_in_zip_directory, but Perl module Archive::Zip is not installed.);
return 0;
}
my $zip = Archive::Zip-new();
# Prevent carping about errors
Archive::Zip::setErrorHandler(\dummy_zip_error_handler);
if ($zip-read($zipname) == AZ_OK()) {
foreach my $member ($zip-members()) {
my $file = $member-fileName();
return 1 if ($file =~ /$regexp/i);
}
}
else { return 1; }
}
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] exe in defective zip attachments getting through mimedefang
On Thu, Jan 14, 2010 at 10:54:14AM -0600, Cliff Hayes wrote:
if Archive::Zip doesn't return an AZ_OK then mimedefang lets the attachment
through. From what I could find out, if Archive::Zip doesn't return AZ_OK
then there is a problem with the zip file. I'd rather block defective zip
files then let them through. In the code below, I substituted return 0;
with else { return 1; } and that solved my problem. Now good zips still
go through, zips with exe's get replaced with warning, and defective (hacked
I'm assuming) get replaced with warnings too. I'm surprised that standard
procedure is to let defective zips through. Or am I understanding this
wrong?
What value is -read() returning? It might be nice to check the status
value and determine if it's failing due to a corrupt zip file, or simply
due to a zip format that Archive::Zip doesn't recognize.
If you can grab a sample of the zip in question and send it to me
offlist, I'll take a look.
Cheers,
Dave
--
Dave O'Neill d...@roaringpenguin.comRoaring Penguin Software Inc.
+1 (613) 231-6599http://www.roaringpenguin.com/
For CanIt technical support, please mail: supp...@roaringpenguin.com
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
