Thomas M Steenholdt skrev den 2015-03-11 20:17:
Having only just heard of foxhole signatures it looks like ClamAV will
to check for various filetypes within certain archives. Is that
correct?
yes, it unpacks all possible archives, and then try to match files types
after unpack, thats why i think you can use it with amavisd, possible
maps signatures in clamav to spamscore in amavisd so it just detection,
but imho this part is not needed to mangle since it is fair detection,
send a exe and it will not be blocked in foxhole, but send a exe packed
in zip will
Do you have a reference page on the topic you can recommend?
http://sanesecurity.com/foxhole-databases/
I'm not entirely sold on the idea, that I would need to fire up an AV
scanner to block attachments in an attached mail. I mean, Amavis has
the
code loaded to handle the "outer" mail already. It should be able to
use
the exact same code to handle the "inner" mail as well?
yes, but it does imho not do it recursive, with is why i say foxhole :=)
In case I wasn't clear, I want banned files inside the attached
mail-file to be banned exactly as if they had been attached directly to
the "outer" mail.
yep this can be done with clamav+foxhole+amavisd where you maps clamav
signatures to spam score, amavisd cant imho unpack and match recursive
enough to make the same hits possible, but this depends on file(util)
and how unpack and scanning is configured in amavisd
remember amavisd is not a virus scanner its a nice interface for virus /
spam scanners
