how to allow banned file extensions within zip archives?

Hi

I've looked around the list archives, and the readme files,
but have only 
found general pointers to this problem. Basically I want to
allow certain 
when they are included in a zip file, but not if they are
attached directly.

I am using Debian, which breaks the configuration files into
separate 
areas under /etc/amavid/conf.d: 01-debian/  05-domain_id/  
05-node_id/  15-av_scanners/ 15-content_filter_mode/  
20-debian_defaults/  25-amavis_helpers/
30-template_localization/  
50-user/  51-my_overides/

These files are read in order to by the daemon start-stop
script.
51-my_overides/ is a copy of 20-debian_defaults/  with some
changes. 
I have proven this file is being read (by altering the
$virus_admin 
variable).

Below is the relevant section of my configuration, basically
straight 
from the conf.example file with a couple of lines
uncommented. (Note 
that the Debian config used the older $banned_filename_re,
which is 
disabled at the bottom of the section per the example).

I would expect the rule-7 bit to allow an exe file to be
allowed within
a zip file, however, I don't see the effect I hoped for.
Logfile 
entry follows after the config snippet:

$banned_namepath_re = new_RE(

  # block these MIME types
  qr'(?#NO X-MSDOWNLOAD)   ^(.*t)?
M=application/x-msdownload   (t.*)? $'xmi,
  qr'(?#NO X-MSDOS-PROGRAM)^(.*t)?
M=application/x-msdos-program(t.*)? $'xmi,
  qr'(?#NO HTA)            ^(.*t)? M=application/hta       
    (t.*)? $'xmi,

# # block rfc2046 MIME types
# qr'(?# BLOCK RFC2046 ) ^ (.*t)? M=message/partial      
(t.*)? $'xmi,
# qr'(?# BLOCK RFC2046 ) ^ (.*t)? M=message/external-body
(t.*)? $'xmi,

# qr'(?#No Metafile MIME) ^(.*t)?
M=application/x-msmetafile (t.*)? $'xmi,
# qr'(?#No Metafile MIME) ^(.*t)? M=image/x-wmf            
 (t.*)? $'xmi,
# qr'(?#No Metafile file) ^(.*t)? T=wmf                    
 (t.*)? $'xm,

# # within traditional Unix compressions allow any name and
type
  [ qr'(?#rule-3) ^ (.*t)? T=(Z|gz|bz2)     (t.*)? $'xmi
=> 0 ],  # allow

  # within traditional Unix archives allow any name and
type
  [ qr'(?#rule-4) ^ (.*t)? T=(tar|rpm|cpio) (t.*)? $'xmi
=> 0 ],  # allow

# # block anything within a zip
# qr'(?#rule-5) ^ (.*t)? T=zip (t.*)? (.*n)+ .* $'xmi,

  # block certain double extensions in filenames
  qr'(?# BLOCK DOUBLE-EXTENSIONS )
     ^ (.*t)? N= [^tn]* . [^./tn]* [A-Za-z] [^./tn]*
.
                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) .?
(t.*)? $'xmi,

# # block Class ID (CLSID) extensions in filenames
# qr'(?# BLOCK CLSID-EXTENSIONS )
#    ^ (.*t)? N= [^tn]*
{[0-9a-f](-[0-9a-f])-[0-9a-f]}? [^tn]*
(t.*)? $'xmi,

# # banned declared names with three or more consecutive
spaces
# qr'(?# BLOCK NAMES WITH SPACES )
#    ^ (.*t)? N= [^tn]*  [ ]{3,} 'xmi,

# # within PC archives allow any types or names at any
depth
  [ qr'(?#rule-7) ^ (.*t)? T=(zip|rar|arc|arj|zoo) (t.*)?
$'xmi => 0 ],  # ok

# # within certain archives allow leaf members at any depth
if crypted
# [ qr'(?# ALLOW ENCRYPTED )
#      ^ (.*t)? T=(zip|rar|arj) (.*n)+ (.*t)? A=C (t.*)?
z'xmi => 0 ],

# # allow crypted leaf members regardless of their name or
type
# [ qr'(?# ALLOW IF ENCRYPTED )    ^ (.*t)? A=C (t.*)?
z'xmi => 0 ],

# # block if any component can not be decoded (is encrypted
or bad archive)
# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*t)? A=U (t.*)?
z'xmi,

# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)
#      A (.*t)?
T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)
#         t(.*t)* N=exampled+[^tn]*
#         (t.*)? $'xmi => 0 ],


  # banned filename extensions (in declared names) anywhere
- basic
  qr'(?# BLOCK COMMON NAME EXENSIONS )
     ^ (.*t)? N= [^tn]* . (exe|vbs|pif|scr|bat|com|cpl)
(t.*)? $'xmi,

# # banned filename extensions (in declared names) anywhere
- long
# qr'(?# BLOCK MORE NAME EXTENSIONS )
#    ^ (.*t)? N= [^tn]* . (
#   
ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|
hta|
#   
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|m
st|
#    ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#    wmf|wsc|wsf|wsh) (t.*)? $'xmi,

# # banned filename extensions anywhere - WinZip
vulnerability (pre-V9)
# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
#    ^ (.*t)? N= [^tn]* . (mim|b64|bhx|hqx|xxe|uu|uue)
(t.*)? $'xmi,

  [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
       ^ (.*t)? M=application/octet-stream t(.*t)*
T=empty (t.*)? $'xmi
    => 'DISCARD' ],

# [ qr'(?# BLOCK EMPTY MIME PARTS )
#      ^ (.*t)? M= [^tn]+ t(.*t)* T=empty (t.*)? $'xmi
=> 'DISCARD' ],

  qr'(?# BLOCK Microsoft EXECUTABLES )
     ^ (.*t)? T=exe-ms (t.*)? $'xm,              # banned
file(1) type

# qr'(?# BLOCK ANY EXECUTABLE )
#    ^ (.*t)? T=exe (t.*)? $'xm,                 # banned
file(1) type

# qr'(?# BLOCK THESE TYPES )
#    ^ (.*t)? T=(exe|lha|tnef|cab|dll) (t.*)? $'xm,  #
banned file(1) types

);

# use old or new style of banned lookup table; not both to
avoid confusion
#
banned_filename_maps = ();   # to disable old-style
#  $banned_namepath_re = undef;  # to disable new-style


%banned_rules = (
  'MYNETS-DEFAULT' => new_RE(   # permissive set of rules
for internal hosts
    [ qr'^.(rpm|cpio|tar)$' => 0 ],  # allow any
name/type in Unix archives
    qr'..(vbs|pif|scr)$'i,     # banned extension -
rudimentary
  ),
  'DEFAULT' => $banned_filename_re,
);


Log file entry:

Mar 29 15:45:26 server amavis[14485]: (14485-04) Blocked
BANNED (P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1
.0.3-install.zip | P=p0
04,L=1/2/1,T=exe,T=exe-ms,N=openvpn-2.0.7-gui-1.0.3-install.
exe), LOCAL [192.168.15.9] [192.168.15.9] <userserver.com> -> <jsdfkjsdklgmail.com>, quarantine:
 banned-39Jkl88fxqey, Message-ID:
<200703291544.14675.userserver.com>, mail_id:
39Jkl88fxqey, Hits: -, 541 ms

Mar 29 15:45:26 server postfix/smtp[14235]: 5EFD120C082:
to=<jsdfkjsdklgmail.com>,
relay=127.0.0.1[127.0.0.1]:10024, delay=49,
delays=48/0/0/0.54, dsn=2.7.1, status=sent (2
54 2.7.1 Ok, discarded, id=14485-04 - BANNED:
P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1
....)

Regards
Richard

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Richard,

> I've looked around the list archives, and the readme
files, but have only
> found general pointers to this problem. Basically I
want to allow certain
> when they are included in a zip file, but not if they
are attached
> directly.
[...]
> I would expect the rule-7 bit to allow an exe file to
be allowed within
> a zip file, however, I don't see the effect I hoped
for.

> (14485-04) Blocked BANNED (P=p003,L=1,M=multipart/mixed
|
>
P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1
.0.3-install.zip
> | P=p0
04,L=1/2/1,T=exe,T=exe-ms,N=openvpn-2.0.7-gui-1.0.3-install.
exe), 

It appears the entry was blocked because it matched the
double-extensions
rule, which is above rule-7, so it takes precedence. Log
level 1 (or 3)
would show more details on which rule matched, search for
'p.path' there.
It seems you need to resuffle the rules, move rule-7 higher
or
rule for double-extensions lower. Or you may tighten up the
double-extensions rule.

  Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Many thanks, reordering my rules had the desired effect, and
using a higher 
log level gave me a better understanding of why the
double-extensions rule 
was matching.

Cheers
Richard

On Thursday 29 March 2007 23:05, Mark Martinec wrote:
> Richard,
>
> > I've looked around the list archives, and the
readme files, but have only
> > found general pointers to this problem. Basically
I want to allow certain
> > when they are included in a zip file, but not if
they are attached
> > directly.
>
> [...]
>
> > I would expect the rule-7 bit to allow an exe file
to be allowed within
> > a zip file, however, I don't see the effect I
hoped for.
> >
> > (14485-04) Blocked BANNED
(P=p003,L=1,M=multipart/mixed |
> >
P=p002,L=1/2,M=application/x-zip,T=zip,N=openvpn-2.0.7-gui-1
.0.3-install.
> >zip
> >
> > | P=p0
04,L=1/2/1,T=exe,T=exe-ms,N=openvpn-2.0.7-gui-1.0.3-install.
exe),
>
> It appears the entry was blocked because it matched the
double-extensions
> rule, which is above rule-7, so it takes precedence.
Log level 1 (or 3)
> would show more details on which rule matched, search
for 'p.path' there.
> It seems you need to resuffle the rules, move rule-7
higher or
> rule for double-extensions lower. Or you may tighten up
the
> double-extensions rule.
>
>   Mark

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/