Re: [Clamav-users] passworded zips slipping thru

Wed, 03 Mar 2004 10:54:29 -0800

At 03:34 AM 3/3/04, Tomasz Papszun wrote: 
On Wed, 03 Mar 2004 at  2:47:50 -0500, jef moskot wrote:
> On Tue, 2 Mar 2004, jef moskot wrote:
> > For some reason, my system is allowing Worm.Bagle.F-zippwd files
> > through...
>
> For what it's worth, this seems to be an issue with amavis.  By default,
> it doesn't scan the body of the message.  If/when I get I fix, I'll post

Our signatures Worm.Bagle.F-zippwd* are based on the "real" contents of
mail messages (stream of characters as they are), while amavisd-new (and
probably amavis) "divide" messages to parts and decode them separately,
hence ClamAV doesn't get the original stream of chars.

> it here so all other dinosaurs can update their scripts.

Not only dinosaurs. Amavisd-new also does so. These scripts are simply
"too intelligent" ;-).

There is a patch (it was posted to the amavis-user ML) to development
version of Amavisd-new which enables scanning of full intact messages,
but I haven't tried it yet.

here are patches posted on the amavis-users list for "current" version of amavisd-new-20030616-p*. Any of these are sufficent to allow amavisd-new to detect the Worm.Bagle.F-zippwd-* viruses.

patch by Mark Martinec; scans decoded parts + full original mail message.
http://marc.theaimsgroup.com/?l=amavis-user&m=107826666706748&w=2

more complex patch by Ted Cabeen; only scan the full original mail if it contains a ZIP component. This can save significant time on mail not containing a zip file.
http://marc.theaimsgroup.com/?l=amavis-user&m=107827878627320&w=2

Here is a *very* simple patch by Ted Cabeen. It should apply to just about any version of amavisd-new with some fuzz, and maybe even other variants of amavis* if you can find the right place to insert the single new line. NOTE: change "copy" to "link" in the patch to improve performance and remove the need for File::Copy
http://marc.theaimsgroup.com/?l=amavis-user&m=107830495801266&w=2


--
Noel Jones 



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to