Re: SaneSecurity malware signatures are not being detected by amavisd-new

Thread: Re: SaneSecurity malware signatures are not being detected by amavisd-new

Search this list only Search all lists
Re: SaneSecurity malware signatures are not being detected by amavisd-new
United States	2007-05-22 15:21:11
Mark Martinec wrote the following on 5/22/2007 10:04 AM -0800: > Bill, > >> Okay, then is there any reason to have amavisd-new break e-mail messages >> up for individual parts scanning? >> > > Several virus scanners are not able to decode a MIME structure, > or do a poor job at it, or can not decode certain types of > archives or encodings. Carefully decoding by amavisd can also > protect virus scanners from mail bombs, e.g. recursive archives. > > Well, hopefully clamav is up to the task of protecting itself from these type of exploits - only time will tell... > MIME and archive decoding also provides information about > mail structure and its components to banning rules (file names, > file types, mime types), and to a bad MIME-header check. > > Hmmm, hopefully I will not miss these additional capabilities. I'll be monitoring carefully for a while. >> Would it make sense to disable parts scanning and just have >> amavisd-new only pass the entire raw message to clamd for scanning? >> > > If you trust your virus scanner, and don't need extra > information for banning rules, then sure, you may disable > decodings by amavisd. > > Either disable decoders/dearchivers indvidually by > adjusting decoders list, or turn them off altogether > by setting $bypass_decode_parts=1; > > Now with 2.5.1-pre1, the $bypass_decode_parts=1 also > disables MIME decoding by MIME::Parser, and implicitly > enables passing of a complete mail to virus scanners, > which is what you are asking for. I'm running 2.5.1-pre1 and for testing I have set the following relevant parts in my amavisd.config: $bypass_decode_parts = 1; $keep_decoded_original_re = 0; # keep_decoded_original_maps = ($keep_decoded_original_re); #keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) # qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables # qr'^(ASCII(?! cpio)\|text\|uuencoded\|xxencoded\|binhex)'i, ## qr'^Zip archive data', # don't trust Archive::Zip #)); #decoders = ( # ['mail', &do_mime_decode], # ['asc', &do_ascii], # ['uue', &do_ascii], # ['hqx', &do_ascii], # ['ync', &do_ascii], # ['F', &do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], # ['Z', &do_uncompress, ['uncompress','gzip -d','zcat'] ], # ['gz', &do_gunzip], # ['gz', &do_uncompress, 'gzip -d'], # ['bz2', &do_uncompress, 'bzip2 -d'], # ['lzo', &do_uncompress, 'lzop -d'], # ['rpm', &do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], # ['cpio', &do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', &do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', &do_tar], # ['deb', &do_ar, 'ar'], ## ['a', &do_ar, 'ar'], # unpacking .a seems an overkill # ['zip', &do_unzip], # ['rar', &do_unrar, ['rar','unrar'] ], # ['arj', &do_unarj, ['arj','unarj'] ], # ['arc', &do_arc, ['nomarch','arc'] ], # ['zoo', &do_zoo, 'zoo'], # ['lha', &do_lha, 'lha'], ## ['doc', &do_ole, 'ripole'], # ['cab', &do_cabextract, 'cabextract'], # ['tnef', &do_tnef_ext, 'tnef'], # ['tnef', &do_tnef], # ['exe', &do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], # ['7z', &do_7zip, ['7zr','7za','7z'] ], #); I appears to be working as planned. Before upgrading: Virus scanner output: p006: Worm.Dumaru.Y FOUND p005: Worm.Dumaru.Y FOUND ===== After upgrading: Virus scanner output: p001: Worm.Dumaru.Y FOUND ===== And everything since: Virus scanner output: p001: Trojan.Postcard.eml FOUND Virus scanner output: p001: Exploit.Iframe-1 FOUND Virus scanner output: p001: Worm.Mytob.MG FOUND Virus scanner output: p001: Worm.Scano-6 FOUND Virus scanner output: p001: Worm.Mydoom.M FOUND Virus scanner output: p001: Worm.Dumaru.Y FOUND Virus scanner output: p001: Html.Malware.Sanesecurity.07010800 FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND Virus scanner output: p001: Worm.Mytob.KS FOUND Virus scanner output: p001: Worm.Mydoom.I FOUND Virus scanner output: p001: Worm.Nyxem.E FOUND Virus scanner output: p001: Worm.Bagle-8-zippwd FOUND Virus scanner output: p001: Worm.Lovgate.R FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND ===== Thanks Mark, I'll let you know if I see anything strange since making the upgrade and amavisd.config changes. Bill ------------------------------------------------------------ ------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourcefor ge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

[1]

about | contact Other archives ( Real Estate discussion Medical topics )