Its time for me to come out of the woodworks and make another (hopefully useful) contribution.
This morning, everything was running fine until I received an e-mail with a .exe attachment. None of the virus scanners apparently caught it, but I new better than to just accept it as a "clean" binary. I took a look at it and it was another UPX compressed binary. I've never trusted those, and never will. However, it bothered me that a virus (Tanx-A according to Sophos, aka Bagel-B, W32.Alua, etc.) could get through between definition updates. Yes, yes I know I could/should block .exe attachments. However, sometimes thats unacceptable. So, as a solution, I wrote a crude scanner to look for certain byte-strings at certain offsets. Right now it only looks for UPX compressed binaries, and probably could use some more enhancements to make it "cleaner". If people show an interest in it, I'll work with it more. To manually add this, just add the PERL code at the bottom of this message to the qmail-scanner-queue.pl file, and add "fileformat_scanner" to @scanner_array. John Narron | "Sacrifice, they always say Network Administration | Is a sign of nobility CDS/CDSinet, LLC | But where does one draw the line http://www.cdsinet.net | In the face of injury?" (660) 886 4045 | - Queensryche sub fileformat_scanner { my($start_ffs_time, $stop_ffs_time, $ffs_time, @allfiles, $index, $DATA, $f); my(@FORMATS, $formats); $start_ffs_time=[gettimeofday]; &debug("ffs: starting scan of directory \"$scandir/$file_id\"..."); # This could probably be replaced by a database somewheres... @FORMATS = ({ Name => "UPX Compressed Binary", Offset => 0x3e0, Data => "UPX", Length => 3 }); $formats = (@FORMATS); &debug("ffs: scanning for $formats item\(s\)"); opendir(SCANDIR, "$scandir/$file_id") || &tempfail("ffs: cannot open \"$scandir/$file_id\""); @allfiles = grep(!/^\.+$/, readdir(SCANDIR)); closedir(SCANDIR); foreach $f (@allfiles) { &debug("ffs: scanning \"$scandir/$file_id/$f\""); open(SCANFILE, "$scandir/$file_id/$f")||&tempfail("ffs: cannot open \"$scandir/$file_id/$f\""); $index = 0; while($index < (@FORMATS)) { seek(SCANFILE, $FORMATS[$index]{Offset}, 0); read(SCANFILE, $DATA, $FORMATS[$index]{Length}); # Probably needs to be a bit more complex than this if($DATA eq $FORMATS[$index]{Data}) { &debug("ffs: File is \"$FORMATS[$index]{Name}\""); $quarantine_description = $FORMATS[$index]{Name}; ($quarantine_event=$quarantine_description)=~s/\s/_/g; $quarantine_event="ffs:".substr($quarantine_event,0,$QE_LEN); $description .= "\n--- file format scanner ---\n"; $description .= "FILE/DIR : $scandir/$file_id\n"; $description .= "FORMAT : $quarantine_description\n"; } $index++; } close(SCANFILE); } $stop_ffs_time=[gettimeofday]; $ffs_time = tv_interval($start_ffs_time, $stop_ffs_time); &debug("ffs: finished scan of dir \"$scandir/$file_id\" in $ffs_time secs"); } ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
