On 20/06/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Johnny Stork wrote: > >>> Is there any way to get clamav to handle password protected > >>> zip files? We > >>> receive and send many files as pw protected zips and since > >> deploying clamav, they have all been flagged as viruses? > >> > >> ArchiveBlockEncrypted > >> Mark encrypted archives as viruses > >> (Encrypted.Zip, Encrypted.RAR). > >> Default: disabled > > Thanks kindly, but I guess this means that they pass through without > > being scanned/checked? > > ClamAV can't scan encrypted archives, because there's no way to tell it the > password. Unless the encrypted archive matches a signature in it's encrypted > form, there's no virus detection here. > > It can either uniformly let through, or uniformly block, all encrypted > archives. > > If you want sophisticated zip file handling, consider MIMEDefang [1] and > Archive::Zip > > [1] www.mimedefang.com
Right. I've used this approach to block encrypted zips containing filetypes that are "suspicious" (exe, pif, etc.), but haven't matched a virus signature. You can only scan one level deep. But that way you can let through encrypted zips containing xls files or whatever you consider possibly legimitate traffic. There's an example filter on the MIMEdefang site with some details of using Archive::Zip IIRC. -- des -- http://frommars.org/ _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
