AW: [swinog] new virus types: e.g. W32/Bagle-J

Thu, 04 Mar 2004 01:21:43 -0800 

> ps: does anyone knows, how to trick amavisd to pass encrypted 
> (zip) archives?

Yep, there is a little bit of a dirty hack for amavisd-new.

--snip
Update your amavisd-new:

  Patch: amavisd-new-20030616-p7
  
  - do_unzip and do_unrar: retain an archive if any of its components is
    password protected or encrypted (plus unpack what can be unpacked,
    as before). This gives virus checkers a chance to examine the original
    unpacked archive as a whole (e.g. scanning for variants of W32/Mimail),
    matching it in non-decoded form against virus patterns even if containing
    password-protected components. As a consequence, some virus scanners
    may now log their complaint when encountering such protected archives
    which previously didn't reach them. Such log entries should be considered
    informational only;

plus (if needed) apply the patch to preserve the original mail for virus scanners to 
see, by Ted Cabeen or me, posted today.
--snap

If you like to patch by hand:
--snip
Adding qr'^MAIL$' to $keep_decoded_original_re in amavisd.conf :

  $keep_decoded_original_re = new_RE(
    qr'^MAIL$',    # retain full original message for virus checking
    qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
  );

plus the patch below (much like the Ted's) may work as a stop-gap solution:

------------------
--- amavisd~    Mon Jan  5 02:00:19 2004
+++ amavisd     Tue Mar  2 22:49:15 2004
@@ -5307,4 +5307,12 @@
                }
                $which_section = "virus_scan";
+               # special case to preserve complete mail file for inspection
+               if (lookup('MAIL',$keep_decoded_original_re)) {
+                   # keep the original email.txt by making a hard link
+                   # to it in ./parts/
+                   link("$tempdir/email.txt", "$tempdir/parts/email.txt")
+                       or die "Can't create hard link $tempdir/email.txt: $!";
+                   do_log(4, "providing full original message to scanners");
+               }
                # some virus scanners behave badly if interrupted,
                # so for now just turn off the timer
------------------
--snap



-- 
Kind regards,
Roman Hochuli
CCNP, CQS Cable

GPS-Technik AG
Zürcherstrasse 139
8952 Schlieren
Switzerland
Tel +41-1-7329977
Fax +41-1-7311840
X-NCC-RegID: ch.gps

        
What a strange game. The only winning move is not to play.
                                      -- W.O.P.R., "War Games"

----------------------------------------------
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/

Reply via email to