We use amavisd to quarantaine all MS executable files, including zipped files. I asked a similar question in amavis. ML at 4/4/13. Replies from the members were quite helpful:
<q> First check if .exe extension is not commented out in $banned_filename_re definition, then check that 'zip' is not commented out in @decoders definition in your amavisd.conf. This is enough. "Filename banning" is in fact a misnomer because when you switch on banning files with .exe extension, the file content is also checked, so if an executable has for example a .pdf extension, it will be banned. </q> On Thu, Feb 5, 2015 at 2:22 PM, Benny Pedersen <m...@junc.eu> wrote: > Virgo Pärna skrev den 2015-02-05 13:59: > > Well, foxhole is something I never thought to Google:) >> > > +1 > > Clamav does unpack archives recursively up to 16 levels (by default). >> > > yep, it just create another problem, zip bomps > > For clamd it is set with MaxRecursion configuration value, for clamscan >> with --max-recursion=N command line switch. So that rule matches still. >> > > unless the scr is nasted 17 times in zip > > so i think foxhole need to test if zip contains another zip, when > --max-recursion=1 > > And I do doubt, that such viruses are hidden deeper. I would at >> least think, that odds of users accidentally executing such file would >> decrease with deeper nesting. >> > > if just end users did not press to see attachment from unknown senders, it > would be less of a problem, and if microsoft blocks installers or exe files > from unknown signers when users running administrator mode, it would make a > big diffrence > > i try to defend developpers to not create clamav as a elf installer :=) > > there is lots of such badnees already > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
