Cross-posting to ass-user for user feedback please... It can be used as a tactic to get nefarious files in email to take a exe, bat, or others, zip it up, and send it. As far as I know, ASSP will scan the base64 parts of an email, or perhaps just look at the filename attachment part in the content disposition, and block based on your known list.
This does not block hidden files inside zip files. The next step would be to pass it off to clam or some other scanner, which I believe uncompress it, and then finds out what is inside of it. Any time anything hits an AV scanner, it is pretty deep into ASSP, and is going to come as a CPU hit, and a pretty hard one. I also worry about http://en.wikipedia.org/wiki/Zip_bomb Zip Bombs are bad files hidden in zips, or zips crafted in a way to create recursive unzipping, that can bring a server to it's knees. I have used the below tactic for years, hit 2 false positives for nested zips in zips, which was promptly fixed, and have never once received a virus. This solved virus's if you are willing to block by attachment name, and does so with negligible CPU use/resources. To me, this is like 100% success with less than 1% CPU use, and happens first in line in the proxy, not last. What if on the front end of ASSP, it took the attachment and: $mkdir files Copy a bunch of junk files into `files` ATT00001 ATT00001-1 Default.aspx.html fooo/ <- contains all files within this directory mailstats.txt test.exe <- Bad file, I want to block this Now lets zip it up... $cd .. $zip files.zip files $ls -la 306 Feb 12 11:59 files 615837 Feb 12 12:01 files.zip Now we can look inside it, without even opening it... 65 files found, this is a lot because of how Mac OS X deals with resource forks and trying to maintain them with the "__MACOSX/" directory, which in this case, is of no issue at all, just data files, no care. Output was too large, but here you are http://pastie.org/822320 So now, we can list it, lets look for patterns... * In this case, look for exe and html, case insensitive, just to illustrate how an OR can work. $unzip -l files.zip | egrep -i "\.exe|\.html" 28096 02-12-10 09:55 files/Default.aspx.html 28096 02-12-10 09:55 files/fooo/Default.aspx.html 1554 02-12-10 10:42 files/fooo/test.exe 1201 02-12-10 10:42 __MACOSX/files/fooo/._test.exe 1554 02-12-10 10:42 files/test.exe 1201 02-12-10 10:42 __MACOSX/files/._test.exe Seems to have found all the hits we wanted. If you want to be Mac OS X prerry (for the logs), and ignore the files that could not hurt, but in reality, a crafty person could exploit the "__MACOSX" if the OS is not prepared for it, though I suspect it is... $unzip -l files.zip | grep -v "__MACOSX/files" | egrep -i "\.exe|\.html" 28096 02-12-10 09:55 files/Default.aspx.html 28096 02-12-10 09:55 files/fooo/Default.aspx.html 1554 02-12-10 10:42 files/fooo/test.exe 1554 02-12-10 10:42 files/test.exe In this case, we had hits on not only the main files but all the subdirectory of files. If you were to sprinkle a little recursions into the unzip command, or there may be a flag for the -l that also will -l sub zips, then we could take this to nested zips inside even more zips. If the resulting output was more than perhaps 5000 files, abort so there is no chance of runaway. I think that is it, should be pretty easy to convert to perl, and replace the current method, which I do not believe looks inside the zip file attachment. If ASSP does look inside, then ignore the post entirely :) Interested in your feedback. -- Scott * If you contact me off list replace talklists@ with scott@ * ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
