Hi I've looked around the list archives, and the readme files, but have only found general pointers to this problem. Basically I want to allow certain when they are included in a zip file, but not if they are attached directly.
I am using Debian, which breaks the configuration files into separate areas under /etc/amavid/conf.d: 01-debian/ 05-domain_id/ 05-node_id/ 15-av_scanners/ 15-content_filter_mode/ 20-debian_defaults/ 25-amavis_helpers/ 30-template_localization/ 50-user/ 51-my_overides/ These files are read in order to by the daemon start-stop script. 51-my_overides/ is a copy of 20-debian_defaults/ with some changes. I have proven this file is being read (by altering the $virus_admin variable). Below is the relevant section of my configuration, basically straight from the conf.example file with a couple of lines uncommented. (Note that the Debian config used the older $banned_filename_re, which is disabled at the bottom of the section per the example). I would expect the rule-7 bit to allow an exe file to be allowed within a zip file, however, I don't see the effect I hoped for. Logfile entry follows after the config snippet: $banned_namepath_re = new_RE( # block these MIME types qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi, qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi, qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi, # # block rfc2046 MIME types # qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi, # qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi, # qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi, # qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf (\t.*)? $'xmi, # qr'(?#No Metafile file) ^(.*\t)? T=wmf (\t.*)? $'xm, # # within traditional Unix compressions allow any name and type [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow # within traditional Unix archives allow any name and type [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow # # block anything within a zip # qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi, # block certain double extensions in filenames qr'(?# BLOCK DOUBLE-EXTENSIONS ) ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi, # # block Class ID (CLSID) extensions in filenames # qr'(?# BLOCK CLSID-EXTENSIONS ) # ^ (.*\t)? N= [^\t\n]* \{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}? [^\t\n]* (\t.*)? $'xmi, # # banned declared names with three or more consecutive spaces # qr'(?# BLOCK NAMES WITH SPACES ) # ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi, # # within PC archives allow any types or names at any depth [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok # # within certain archives allow leaf members at any depth if crypted # [ qr'(?# ALLOW ENCRYPTED ) # ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], # # allow crypted leaf members regardless of their name or type # [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], # # block if any component can not be decoded (is encrypted or bad archive) # qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi, # [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES) # \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2) # \t(.*\t)* N=example\d+[^\t\n]* # (\t.*)? $'xmi => 0 ], # banned filename extensions (in declared names) anywhere - basic qr'(?# BLOCK COMMON NAME EXENSIONS ) ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi, # # banned filename extensions (in declared names) anywhere - long # qr'(?# BLOCK MORE NAME EXTENSIONS ) # ^ (.*\t)? N= [^\t\n]* \. ( # ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh) (\t.*)? $'xmi, # # banned filename extensions anywhere - WinZip vulnerability (pre-V9) # qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS ) # ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi, [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM ) ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ], # [ qr'(?# BLOCK EMPTY MIME PARTS ) # ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ], qr'(?# BLOCK Microsoft EXECUTABLES ) ^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type # qr'(?# BLOCK ANY EXECUTABLE ) # ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type # qr'(?# BLOCK THESE TYPES ) # ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types ); # use old or new style of banned lookup table; not both to avoid confusion # @banned_filename_maps = (); # to disable old-style # $banned_namepath_re = undef; # to disable new-style %banned_rules = ( 'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary ), 'DEFAULT' => $banned_filename_re, ); Log file entry: Mar 29 15:45:26 server amavis[14485]: (14485-04) Blocked BANNED (P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1.0.3-install.zip | P=p0 04,L=1/2/1,T=exe,T=exe-ms,N=openvpn-2.0.7-gui-1.0.3-install.exe), LOCAL [192.168.15.9] [192.168.15.9] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine: banned-39Jkl88fxqey, Message-ID: <[EMAIL PROTECTED]>, mail_id: 39Jkl88fxqey, Hits: -, 541 ms Mar 29 15:45:26 server postfix/smtp[14235]: 5EFD120C082: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10024, delay=49, delays=48/0/0/0.54, dsn=2.7.1, status=sent (2 54 2.7.1 Ok, discarded, id=14485-04 - BANNED: P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1....) Regards Richard ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/