Guardian Digital Amavis Mailing List Archive

....

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Amavis

Amavis Mailing List Archive

About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Johan de Vries (johan.devries@bravilor.com)
Date: Wed Dec 15 2004 - 05:35:12 EST

Next message: Robert Jaroszuk: "[AMaViS-user] bypass_header_checks_acl"
Previous message: Ralf Hildebrandt: "[AMaViS-user] amavisd-new mail duplication problem"
Next in thread: Mark Martinec: "Re: [AMaViS-user] Block pif files within ZIP file"

>
> Johan,
>
> > There is also a rule that says:
> > qr'(?# BLOCK COMMON NAME EXENSIONS )
> > ^ (.*\t)? N= [^\t\n]* \. (
> > exe|vbs|vbe|pif|scr|lnk|bat|com|cpl|
> > mpg|mpe|mpa|mpeg|wav|asf|wma|wmv|avi|mov|rm|mp3)
> (\t.*)? $'xmi,
> >
> > The trouble at this moment is my Kaspersky virus scanner
> > It is not detecting the Sober.I virus when it is in a zip file
> > I am figuring out why
> > Until then I want to block pif files inside a zip file
>
> qr'^
> (.*\t)? T=zip (\t.*)?
> (.*\n)+
> (.*\t)? N=[^\t\n]*\.pif (\t.*)?
> $'xmi
>
> Mark
>
>

Sorry to say, but this is not working

A zipped .pif file is still passed and Kaspersky is not detecting

This is what happens in the logfile:
: (52621-01) Checking for banned types and filenames
: (52621-01) p.path: "P=p001,M=text/plain,T=asc"
: (52621-01) p.path: "P=p002,M=text/html,T=txt"
: (52621-01) p.path: "P=p003,M=image/gif,T=dat,N=b.gif"
: (52621-01) p.path: "P=p004,M=application/x-zip-compressed,T=dat
   ,N=link.postcard.index.jpg1523.zip"
: (52621-01) Using (KasperskyLab AVP - aveclient): /usr/local/share/kav/bin/aveclient -p
   /var/run/aveserver -s /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p001
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p002
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p003
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p004
: (52621-01) run_av: /usr/local/share/kav/bin/aveclient exit 0,
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p001 OK\n
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p002 OK\n
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p003 OK\n
   /usr/amavisd/tmp/amavis-20041215T085135-52621/parts/p004 OK
: (52621-01) spam_scan: hits=-4.433 tests=BAYES_00,HTML_FONTCOLOR_BLUE,HTML_FONT_BIG,HTML_MESSAGE

I am wondered about the P=p0004 -> T=dat
Isn't this supposed to be: T=zip

Could this also be the reason Kaspersky is not detecting this virus ( Zafi.D in this case )

Amavisd is running chrooted and is detecting: file arc gzip bzip2 lha unarj uncompress(gzip -d) unrar zoo cpio

Any suggestions where to look for this behavior ???

Johan

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Next message: Robert Jaroszuk: "[AMaViS-user] bypass_header_checks_acl"
Previous message: Ralf Hildebrandt: "[AMaViS-user] amavisd-new mail duplication problem"
Next in thread: Mark Martinec: "Re: [AMaViS-user] Block pif files within ZIP file"

About this list	Date view	Thread view	Subject view	Author view	Attachment view

[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.