Scott,
V1 has only in rar cases (MaxBytes) the complete mail in memory. It is not
possible to unzip/untar/ungz/unlha ...
an incomplete attachment.
V2 has the AFC-Plugin, which is called at the 'complete mail' level,
where it is possible to implement your script (or any other) in a filescanner
command.
Thomas
-----Scott Haneda <[email protected]> schrieb: -----
An: ASSP development mailing list <[email protected]>
Von: Scott Haneda <[email protected]>
Datum: 12.02.2010 22:08
Kopie: For Users of ASSP <[email protected]>
Betreff: [Assp-test] Feature request, if not already implemented, fast
zip file scanning for bad files/virus
Cross-posting to ass-user for user feedback please...
It can be used as a tactic to get nefarious files in email to take a exe, bat,
or others, zip it up, and send it. As far as I know, ASSP will scan the
base64 parts of an email, or perhaps just look at the filename attachment part
in the content disposition, and block based on your known list.
This does not block hidden files inside zip files.
The next step would be to pass it off to clam or some other scanner, which I
believe uncompress it, and then finds out what is inside of it. Any time
anything hits an AV scanner, it is pretty deep into ASSP, and is going to come
as a CPU hit, and a pretty hard one.
I also worry about http://en.wikipedia.org/wiki/Zip_bomb
Zip Bombs are bad files hidden in zips, or zips crafted in a way to create
recursive unzipping, that can bring a server to it's knees.
I have used the below tactic for years, hit 2 false positives for
nested zips in zips, which was promptly fixed, and have never once
received a virus. This solved virus's if you are willing to
block by
attachment name, and does so with negligible CPU use/resources.
To
me, this is like 100% success with less than 1% CPU use, and
happens
first in line in the proxy, not last.
What if on the front end of ASSP, it took the attachment and:
$mkdir files
Copy a bunch of junk files into `files`
ATT00001
ATT00001-1
Default.aspx.html
fooo/ <- contains all files within this directory
mailstats.txt
test.exe <- Bad file, I want to block this
Now lets zip it up...
$cd ..
$zip files.zip files
$ls -la
306 Feb 12 11:59 files
615837 Feb 12 12:01 files.zip
Now we can look inside it, without even opening it...
65 files found, this is a lot because of how Mac OS X deals with resource forks
and trying to maintain them with the "__MACOSX/" directory, which in this case,
is of no issue at all, just data files, no care.
Output was too large, but here you are
http://pastie.org/822320
So now, we can list it, lets look for patterns...
* In this case, look for exe and html, case insensitive, just to
illustrate how an OR can work.
$unzip -l files.zip | egrep -i "\.exe|\.html"
28096 02-12-10 09:55
files/Default.aspx.html
28096 02-12-10 09:55
files/fooo/Default.aspx.html
1554 02-12-10 10:42
files/fooo/test.exe
1201 02-12-10 10:42
__MACOSX/files/fooo/._test.exe
1554 02-12-10 10:42 files/test.exe
1201 02-12-10 10:42
__MACOSX/files/._test.exe
Seems to have found all the hits we wanted.
If you want to be Mac OS X prerry (for the logs), and ignore the files that
could not hurt, but in reality, a crafty person could exploit the "__MACOSX" if
the OS is not prepared for it, though I suspect it is...
$unzip -l files.zip | grep -v "__MACOSX/files" | egrep -i
"\.exe|\.html"
28096 02-12-10 09:55
files/Default.aspx.html
28096 02-12-10 09:55
files/fooo/Default.aspx.html
1554 02-12-10 10:42
files/fooo/test.exe
1554 02-12-10 10:42 files/test.exe
In this case, we had hits on not only the main files but all the subdirectory
of files. If you were to sprinkle a little recursions into the unzip
command, or there may be a flag for the -l that also will -l sub zips, then we
could take this to nested zips inside even more zips. If the resulting
output was more than perhaps 5000 files, abort so there is no chance of runaway.
I think that is it, should be pretty easy to convert to perl, and replace the
current method, which I do not believe looks inside the zip file attachment.
If ASSP does look inside, then ignore the post entirely :)
Interested in your feedback.
--
Scott * If you contact me off list replace talklists@ with scott@ *
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
