blocking encrypted zips?
Michael Scheidell
michael.scheidell at secnap.com
Tue May 17 20:32:35 CEST 2011
On 5/17/11 2:05 PM, Andreas Schulze wrote:
> Michael,
>> what is best way to do it? I think I can have clamav do it, or
>> amavisd-do it, right?
> yes you can use both.
> as far as I know, amavisd can detect all what clamav also can detect.
> but keep in mind that the next clamav release will improve the handling of encrypted pdf.
>
> Andreas
>
hint as to how to do it in amavisd-new with policy based sql?
test file is a password protected (-e) zip with a jpg in it.
I got for @. (id1), policy=101
for policy 101, I have banned_rulenames: NO-ENCRYPT,NO-EXE
in amavisd.conf
%banned_rules = (
''NO-EXE' => new_RE(
qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|url|vbe|vbs)$'i,
),
'NO-ENCRYPT' => new_RE( qr'.\.(UNDECIPHERABLE)$'i, ),
'DEFAULT' => new_RE( [ qr'.*' => 0 ]),
);
amavisd does know its protected, the subject line gets changed to ***
UNCHECKED ***
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110517/6452cac9/attachment.html>
More information about the amavis-users
mailing list