Amavis Mailing List Archive

From: Mark Martinec (Mark.Martinec+amavis@ijs.si)
Date: Wed Dec 15 2004 - 19:30:53 EST

• Next message: Mark Martinec: "Re: [AMaViS-user] Where did the X-Spam-Report go?"
• Previous message: Mark Martinec: "Re: [AMaViS-user] bypass_header_checks_acl"
• In reply to: Johan de Vries: "RE: [AMaViS-user] Block pif files within ZIP file"

Johan,

> A zipped .pif file is still passed and Kaspersky is not detecting
>
> This is what happens in the logfile:
> : (52621-01) Checking for banned types and filenames
> : (52621-01) p.path: "P=p001,M=text/plain,T=asc"
> : (52621-01) p.path: "P=p002,M=text/html,T=txt"
> : (52621-01) p.path: "P=p003,M=image/gif,T=dat,N=b.gif"

> : (52621-01) p.path: "P=p004,M=application/x-zip-compressed,
> T=dat,N=link.postcard.index.jpg1523.zip"

> : (52621-01) Using (KasperskyLab AVP - aveclient):
> : /usr/local/share/kav/bin/aveclient -p /var/run/aveserver -s ...
> : (52621-01) run_av: /usr/local/share/kav/bin/aveclient exit 0,

> I am wondered about the P=p0004 -> T=dat
> Isn't this supposed to be: T=zip

Indeed this seems to be your problem. The value of T attribute
is derived from whatever the file(1) utility reported.

> Could this also be the reason Kaspersky is not detecting this virus (
> Zafi.D in this case )

Possible, although it is not directly related,
the Kaspersky does not use the magic database as used by file(1).

> Amavisd is running chrooted and is detecting: file arc gzip bzip2 lha unarj
> uncompress(gzip -d) unrar zoo cpio

Test each component if it runs correctly in chroot. There is a simple
test program in Perl at the end of README.chroot which tries to
mimic the chrooted environment of amavisd. Try something like:

perl -Te 'use POSIX; $ENV{PATH}="/usr/bin";
         $uid=getpwnam("vscan") or die "E1:$!";
         chroot "/var/amavis" or die "E2:$!"; chdir "/";
         POSIX::setuid($uid) or die "E3:$!";
         open(STDIN,"</dev/null") or die "E4:$!";
         exec qw(file index.jpg1523.zip) or die "E5:$!"'; echo $?

(supply your own sample zip archive in /var/amavis/index.jpg1523.zip)

  Mark

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

• Next message: Mark Martinec: "Re: [AMaViS-user] Where did the X-Spam-Report go?"
• Previous message: Mark Martinec: "Re: [AMaViS-user] bypass_header_checks_acl"
• In reply to: Johan de Vries: "RE: [AMaViS-user] Block pif files within ZIP file"