Hi
I've looked around the list archives, and the readme files, but have only
found general pointers to this problem. Basically I want to allow certain
when they are included in a zip file, but not if they are attached directly.
I am using Debian, which breaks the configuration files into separate
areas under /etc/amavid/conf.d: 01-debian/ 05-domain_id/
05-node_id/ 15-av_scanners/ 15-content_filter_mode/
20-debian_defaults/ 25-amavis_helpers/ 30-template_localization/
50-user/ 51-my_overides/
These files are read in order to by the daemon start-stop script.
51-my_overides/ is a copy of 20-debian_defaults/ with some changes.
I have proven this file is being read (by altering the $virus_admin
variable).
Below is the relevant section of my configuration, basically straight
from the conf.example file with a couple of lines uncommented. (Note
that the Debian config used the older $banned_filename_re, which is
disabled at the bottom of the section per the example).
I would expect the rule-7 bit to allow an exe file to be allowed within
a zip file, however, I don't see the effect I hoped for. Logfile
entry follows after the config snippet:
$banned_namepath_re = new_RE(
# block these MIME types
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
# # block rfc2046 MIME types
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi,
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,
# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi,
# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf (\t.*)? $'xmi,
# qr'(?#No Metafile file) ^(.*\t)? T=wmf (\t.*)? $'xm,
# # within traditional Unix compressions allow any name and type
[ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow
# within traditional Unix archives allow any name and type
[ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
# # block anything within a zip
# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,
# block certain double extensions in filenames
qr'(?# BLOCK DOUBLE-EXTENSIONS )
^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,
# # block Class ID (CLSID) extensions in filenames
# qr'(?# BLOCK CLSID-EXTENSIONS )
# ^ (.*\t)? N= [^\t\n]* \{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?
[^\t\n]* (\t.*)? $'xmi,
# # banned declared names with three or more consecutive spaces
# qr'(?# BLOCK NAMES WITH SPACES )
# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi,
# # within PC archives allow any types or names at any depth
[ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok
# # within certain archives allow leaf members at any depth if crypted
# [ qr'(?# ALLOW ENCRYPTED )
# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
# # allow crypted leaf members regardless of their name or type
# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
# # block if any component can not be decoded (is encrypted or bad archive)
# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi,
# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)
# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)
# \t(.*\t)* N=example\d+[^\t\n]*
# (\t.*)? $'xmi => 0 ],
# banned filename extensions (in declared names) anywhere - basic
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,
# # banned filename extensions (in declared names) anywhere - long
# qr'(?# BLOCK MORE NAME EXTENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (
# ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh) (\t.*)? $'xmi,
# # banned filename extensions anywhere - WinZip vulnerability (pre-V9)
# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,
[ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi
=> 'DISCARD' ],
# [ qr'(?# BLOCK EMPTY MIME PARTS )
# ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ],
qr'(?# BLOCK Microsoft EXECUTABLES )
^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type
# qr'(?# BLOCK ANY EXECUTABLE )
# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type
# qr'(?# BLOCK THESE TYPES )
# ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types
);
# use old or new style of banned lookup table; not both to avoid confusion
#
@banned_filename_maps = (); # to disable old-style
# $banned_namepath_re = undef; # to disable new-style
%banned_rules = (
'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives
qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary
),
'DEFAULT' => $banned_filename_re,
);
Log file entry:
Mar 29 15:45:26 server amavis[14485]: (14485-04) Blocked BANNED
(P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1.0.3-install.zip |
P=p0
04,L=1/2/1,T=exe,T=exe-ms,N=openvpn-2.0.7-gui-1.0.3-install.exe), LOCAL
[192.168.15.9] [192.168.15.9] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
quarantine:
banned-39Jkl88fxqey, Message-ID: <[EMAIL PROTECTED]>, mail_id: 39Jkl88fxqey,
Hits: -, 541 ms
Mar 29 15:45:26 server postfix/smtp[14235]: 5EFD120C082: to=<[EMAIL
PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10024, delay=49, delays=48/0/0/0.54,
dsn=2.7.1, status=sent (2
54 2.7.1 Ok, discarded, id=14485-04 - BANNED: P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1....)
Regards
Richard
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
