I'm able to block attachements but not with the [] in the BadAttachlevel1 field. Instead of ad[be] I'm using adb|ade for example. I don't know if this has anything to do with the previousl report by someone that regexp seems to be wonky in 15025... Bug or something I'm missing?
Also, I've been testing ClamAV (win) with some online testers, namely: http://www.emailsecuritycheck.net/index.html and http://www.aleph-tec.com/eicar/ Several of the emails get through. Including one with a dll even though dll should be blocked. For email security, tests 3, 4,5, and 6 come through unaltered. The eicar tests from aleph-tec also get through. If I download an eicar file from the net and do a clamscan, it's detected. A clamscan on these eicar test files in the mail folders don't detect. I've got ASAP_AFCDetectSpamAttachRe set to a file, contents are: image\/ application\/pd[ft] application\/zip multipart/mixed text/html text/plain application/ Though I must admit I don't understand if this is right or not. I'm using clamsup to download the Sane signatures too. Any idea what I could be doing wrong? On Tue, Feb 17, 2015 at 4:51 PM, K Post <nntp.p...@gmail.com> wrote: > I can't figure this out to save my life. Is there something wrong with > the regex? If external is set to level 2 and block, how would mails like > this get pushed through? It's not just .reg files, it's anything that I've > tested including .bat. > > Thanks > > On Thu, Feb 12, 2015 at 9:58 PM, K Post <nntp.p...@gmail.com> wrote: > >> 15025 running on a windows box in my lab. >> >> I just tried sending an email from gmail with a .reg file attached to >> it. Also tried with a .bat file. >> The emails arrive even though I have reg and bat files blocked. The >> gmail account is whitelisted, but I've tried with non-whitelisted accounts >> too. >> >> I have ClamAV running and use the AFC-Plugin. If I disable one or both >> of these, the email still arrives. >> >> I have v1.925 of Email::Mime installed. I haven't tried downgrading. >> >> DoBlockExes is set to block >> BlockExes (external senders) is set to Level 2 >> BlockWLExes (wl senders) is set to Level 1 >> BlockNPExes (no processing) is set to Level 2 >> >> >> For BadAttachLevel1 I have: >> >> ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|ms[cipt]|nch|pcd|pif|prf|ps1|reg|sc[frt]|scr|sh[bs]|vb|vb[es]|wms|ws[cfh] >> (note that reg is listed there) >> >> For BadAttachLevel2 I have: >> zip >> >> I would expect to see that a level 1 exe was detected and that it was >> blocked. Instead it comes through and the log shows that a level 2 file >> was found. >> >> Log snippit >> >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org [scoring] DKIM signature verified-OK - >> header-passed - sender policy is: neutral - author policy is: neutral >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org Message-Score: added -5 (dkimOkValencePB) for >> DKIM pass, total score for this message is now -6 >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org Message-Score: added -5 (spfpValencePB) for >> SPF pass, total score for this message is now -11 >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org info: SenderBase - query using SenderBase >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org SenderBase -- used Senderbase -- country:US >> orgname:GOOGLE domain:google.com >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org HMM is not available - hmmdb is empty >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org Bayesian Check [scoring] - Prob: 0.00001 => >> ham >> Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org [Plugin]* calling plugin ASSP_AFC* >> Feb-12-15 21:39:33 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> >> to: test...@ourcharity.org info: 1 attachment found for *Level-2* >> Feb-12-15 21:39:33 msg95171-02457 [*MessageOK*] 209.85.220.42 < >> test-acco...@gmail.com> to: test...@ourcharity.org message ok [testing >> reg] -> messages/okmail/testing_reg--3448748.txt >> >> Could my regex be wrong somehow? Why would it find a Level 2 attachment, >> when it only matches level 1? Why wouldn't it have been blocked? >> >> Thanks >> ken >> >> >> > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
