Mark Martinec wrote the following on 5/22/2007 10:04 AM -0800: > Bill, > >> Okay, then is there any reason to have amavisd-new break e-mail messages >> up for individual parts scanning? >> > > Several virus scanners are not able to decode a MIME structure, > or do a poor job at it, or can not decode certain types of > archives or encodings. Carefully decoding by amavisd can also > protect virus scanners from mail bombs, e.g. recursive archives. > > Well, hopefully clamav is up to the task of protecting itself from these type of exploits - only time will tell... > MIME and archive decoding also provides information about > mail structure and its components to banning rules (file names, > file types, mime types), and to a bad MIME-header check. > > Hmmm, hopefully I will not miss these additional capabilities. I'll be monitoring carefully for a while. >> Would it make sense to disable parts scanning and just have >> amavisd-new only pass the entire raw message to clamd for scanning? >> > > If you trust your virus scanner, and don't need extra > information for banning rules, then sure, you may disable > decodings by amavisd. > > Either disable decoders/dearchivers indvidually by > adjusting @decoders list, or turn them off altogether > by setting $bypass_decode_parts=1; > > Now with 2.5.1-pre1, the $bypass_decode_parts=1 also > disables MIME decoding by MIME::Parser, and implicitly > enables passing of a complete mail to virus scanners, > which is what you are asking for. I'm running 2.5.1-pre1 and for testing I have set the following relevant parts in my amavisd.config:
$bypass_decode_parts = 1; $keep_decoded_original_re = 0; # @keep_decoded_original_maps = (\$keep_decoded_original_re); [EMAIL PROTECTED] = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) # qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables # qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ## qr'^Zip archive data', # don't trust Archive::Zip #)); [EMAIL PROTECTED] = ( # ['mail', \&do_mime_decode], # ['asc', \&do_ascii], # ['uue', \&do_ascii], # ['hqx', \&do_ascii], # ['ync', \&do_ascii], # ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], # ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], # ['gz', \&do_gunzip], # ['gz', \&do_uncompress, 'gzip -d'], # ['bz2', \&do_uncompress, 'bzip2 -d'], # ['lzo', \&do_uncompress, 'lzop -d'], # ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], # ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', \&do_tar], # ['deb', \&do_ar, 'ar'], ## ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill # ['zip', \&do_unzip], # ['rar', \&do_unrar, ['rar','unrar'] ], # ['arj', \&do_unarj, ['arj','unarj'] ], # ['arc', \&do_arc, ['nomarch','arc'] ], # ['zoo', \&do_zoo, 'zoo'], # ['lha', \&do_lha, 'lha'], ## ['doc', \&do_ole, 'ripole'], # ['cab', \&do_cabextract, 'cabextract'], # ['tnef', \&do_tnef_ext, 'tnef'], # ['tnef', \&do_tnef], # ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], # ['7z', \&do_7zip, ['7zr','7za','7z'] ], #); I appears to be working as planned. Before upgrading: Virus scanner output: p006: Worm.Dumaru.Y FOUND p005: Worm.Dumaru.Y FOUND ===== After upgrading: Virus scanner output: p001: Worm.Dumaru.Y FOUND ===== And everything since: Virus scanner output: p001: Trojan.Postcard.eml FOUND Virus scanner output: p001: Exploit.Iframe-1 FOUND Virus scanner output: p001: Worm.Mytob.MG FOUND Virus scanner output: p001: Worm.Scano-6 FOUND Virus scanner output: p001: Worm.Mydoom.M FOUND Virus scanner output: p001: Worm.Dumaru.Y FOUND Virus scanner output: p001: Html.Malware.Sanesecurity.07010800 FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND Virus scanner output: p001: Worm.Mytob.KS FOUND Virus scanner output: p001: Worm.Mydoom.I FOUND Virus scanner output: p001: Worm.Nyxem.E FOUND Virus scanner output: p001: Worm.Bagle-8-zippwd FOUND Virus scanner output: p001: Worm.Lovgate.R FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND ===== Thanks Mark, I'll let you know if I see anything strange since making the upgrade and amavisd.config changes. Bill ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
