Re: [AMaViS-user] Someone missed a virus..

Noel Jones Fri, 15 Jun 2007 16:15:36 -0700

At 05:18 PM 6/15/2007, Michael Scheidell wrote:

>I am not sure it works as expected:
>
>Jun 15 18:01:02 smtp1 amavis[35096]: (35096-07) Passed CLEAN,
>[204.89.241.173] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
>Message-ID: <[EMAIL PROTECTED]>,
>mail_id: fnMl3GaRqFpe, Hits: -, size: 625100, queued_as: 90DAB50242F,
>1371 ms
>
>I am whitelisted at that location, but should not affect banned
>attachments.


Hmm, just tested it here, didn't catch it for me either.  I could 
have sworn this worked before...

Ah, here's the problem...
# file test_document_with_EXE.doc
test_document_with_EXE.doc: Microsoft Installer

Eh???  Sure enough, file(1) reports all .doc files I tested (even 
without embedded stuff) as "Microsoft Installer".

(file-4.21 from FreeBSD ports)

Quick edit to /usr/local/sbin/amavisd...
--- amavisd.2.5.1       Fri Jun 15 18:02:10 2007
+++ amavisd     Fri Jun 15 18:07:31 2007
@@ -983,4 +983,5 @@
      [qr/^Rich Text Format data\b/       => 'rtf'],
      [qr/^Microsoft Office Document\b/i  => 'doc'],  # OLE2: doc, 
ppt, xls, ...
+    [qr/^Microsoft Installer\b/i  => 'doc'],  # OLE2: doc, ppt, xls, ...
      [qr/^ms-windows meta(file|font)\b/i => 'wmf'],
      [qr/^LaTeX\b.*\bdocument text\b/    => 'lat'],

And now it blocks it...
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1 Content-Type: 
multipart/mixed
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1 
Content-Type: text/plain, size: 14 B, name:
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2 
Content-Type: application/msword, size: 216576 B, name: 
test_document_with_EXE.doc
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path BANNED:1 
[EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed | 
P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with_EXE.doc 
| P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe", 
matching_key="(?-xism:^\\.(exe-ms|dll)$)"


-- 
Noel Jones 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] Someone missed a virus..

Reply via email to