Ref: http://sourceforge.net/mailarchive/forum.php?thread_id=2919843&forum_id=4330
Digging a bit further into this, it seems ClamAV defines 2 iframe related signatures in it's viruses.db:
Exploit.IFrame (Clam)=696672616d65207372633d33446369643a
Exploit.IFrame.HTML (Clam)=696672616d65207372633d6369643a
those 2 hex patterns resolve to:
i~frame src=3Dcid:
i~frame src=cid:
(~ inserted to avoid AV scanner problems)
Any variation from those -specific- patterns will not be "caught" e.g. I~FraMe src=cid:... - will not cause alert i~frame src="cid:... - will not cause alert i~frame src="http://... - will not cause alert etc...
While all this is not directly appropos to the Q-S list, what I found potentially more interesting is the possiblity of adding your own company/personal/test signature patterns into your filtering "arsenal" by placing these sigs in a file named "mydb.db" (used by ClamAV to hold test sigs) at the same location as the "normal" ClamAV db's (e.g. /usr/local/share/clamav)
In theory, one could use this techique, say, for content scanning based on certain company-specific policies- no iframe content, no ilayer content, no email about "top secret" or "Project X", etc.
This is still an idea in my head and I'm and I'm not saying I can yet recommend doing so, but using iframe as an -example-, if one wanted to reject -all- upper/lower case permutations of iframe, one could place the output of the below perl hack into mydb.db:
@permute = glob( "{i,I}{f,F}{r,R}{a,A}{m,M}{e,E}" );
foreach $p (@permute) {
$x = "<${p} ";
$x =~ s/(.)/sprintf("%2.2x",ord($1))/eg;
$sig = "COMPANY_POLICY.${p}.Rejection (Clam)=$x";
print "$sig\n";
}I would caution against actually doing something like this unless (among other things): a) your new sig is quite unique to avoid false postives b) clamAV is ONLY used for scanning email (*) c) you are NOT sending virus alerts back to sender (**) e.g. '--notify "admin"' only
*) you don't want a user's documentation or web content
getting flagged by some periodic cmd line file system scan
**) "non-standard" AV alerts will certainly confuse recipients,
The use of "COMPANY_POLICY" or some other wording should
help to make it known to admin that its a "policy based" rejection
vs. real virusAs I said, this is still just an idea...Comments? Caveat clam-or. Don't hold me responsible for lost email ;)
ClamAV sig Ref: http://clamav.sourceforge.net/doc/signatures.pdf -- Doug Monroe
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
