blocking encrypted zips?

Michael Scheidell michael.scheidell at secnap.com
Tue May 17 20:32:35 CEST 2011


On 5/17/11 2:05 PM, Andreas Schulze wrote:
> Michael,
>> what is best way to do it? I think I can have clamav do it, or
>> amavisd-do it, right?
> yes you can use both.
> as far as I know, amavisd can detect all what clamav also can detect.
> but keep in mind that the next clamav release will improve the handling of encrypted pdf.
>
> Andreas
>
hint as to how to do it in amavisd-new with policy based sql?

test file is a password protected (-e) zip with a jpg in it.

I got for @. (id1), policy=101
for policy 101, I have   banned_rulenames: NO-ENCRYPT,NO-EXE

in amavisd.conf

%banned_rules = (
''NO-EXE' => new_RE( 
qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|url|vbe|vbs)$'i, 
),
'NO-ENCRYPT' => new_RE( qr'.\.(UNDECIPHERABLE)$'i, ),
'DEFAULT' => new_RE( [ qr'.*' => 0 ]),
);

amavisd does know its protected, the subject line gets changed to *** 
UNCHECKED ***




-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110517/6452cac9/attachment.html>


More information about the amavis-users mailing list