This looks good. Now, can someone write a patch that sends a message to the sender that says something like "Password Protected ZIP Encountered. This message not allowed by our security policy." Something along the lines of the Illegal MIME message that Q-S sends out would be good. What do you think?
Trey Nolen > If anyone's interested here is a modification to sophie so that when a > password protected archive (like Bagle-H) is scanned it will flag it as > a virus. Q-S now detects it as "Error: File was encrypted" and > quarantines it. Here is the alteration to sophie_core.c in the case > SOPHOS_SAVI_ERROR_FILE_ENCRYPTED: > > > case SOPHOS_SAVI_ERROR_FILE_ENCRYPTED: > sophie_print(0, "%s %s", WARNSTR, > SOPHIE_SAVI_ERROR_FILE_ENCRYPTED); > strncpy(ret_error_string, > SOPHIE_SAVI_ERROR_FILE_ENCRYPTED, sizeof(ret_error_string)-1); > sophie_log_virus(scan_file, scan_results); > > #ifdef ONLY_FATAL_ERRORS > retval = 0; > #else > retval = 1; > #endif > break; > > The only changes are adding the "sophie_log_virus..." line and changing > "retval = -1;" to "retval = 1;" > --- > Ed > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Jason Haar > > Sent: Tuesday, March 02, 2004 3:53 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Qmail-scanner-general]Bagle-h and password > > protected ZIP files > > > > > > On Wed, 2004-03-03 at 07:17, CertaintyTech-Ed wrote: > > > Anyone else seeing the Bagle-H virus getting thru? I am > > using Q-S and > > > sophie and it is not stopping them. Sophie sees that the > > ZIP file is > > > password encrypted so can't check it for viruses and Q-S > > goes ahead and > > > passes it thru. Does anyone know of any way to catch this > > one? For now > > > I am blocking all ZIP attachments... > > > > Please let me know when you find ANY e-mail AV system that can catch > > this virus... i.e. I don't think so. I know there's one that "catches" > > it by looking at the content of the text part of the message - before > > the actual zip attachment - but that doesn't really count. > > > > Password protected zip files - and people still get infected! > > When will > > the naivety end? > > > > This is why we have the phrase "defense in depth". Run e-mail > > AV systems > > to get rid of 99% of your viruses, but you still need to run nightly > > scans over old e-mails (to catch the Day Zeros that got through > > earlier), and you definitely still need to run AV on > > workstations (which > > would catch this particular one - as once the user unlocks the virus, > > their AV can detect it). > > > > Obviously such a luxury is appropriate for corporations, but is > > impossible to mandate for ISPs/etc... > > > > Cheers > > > > Jason Haar > > Information Security Manager, Trimble Navigation Ltd. > > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > > > > > > > > > ------------------------------------------------------- > > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > > Build and deploy apps & Web services for Linux with > > a free DVD software kit from IBM. Click Now! > > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > > _______________________________________________ > > Qmail-scanner-general mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general > > > > > > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > _______________________________________________ > Qmail-scanner-general mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general > ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
