Double zipped windows executables
Noel Jones
njones at megan.vbhcs.org
Thu Sep 6 16:54:05 CEST 2012
On 9/6/2012 7:44 AM, Helga Mayer wrote:
> Hello
>
> we are receiving double zipped windows executables containing a virus
> which is not (yet) recognised by clamav.
>
> Is there a way to reject or quarantine mails with double packed
> attachments ?
>
> Greetings
> Helga Mayer
You should be able to block this with the $banned_namepath_re
feature. Find examples in amavisd.conf-sample
Here's my UNTESTED and likely WRONG attempt:
qr'(?# BLOCK DOUBLE ZIPPED FILES )
\A (.*\t)? T=zip (.*\t)? N= [^\t\n]* \. (zip) (\t.*)? $'xmi,
Feel free to post corrections or improvements.
-- Noel Jones
More information about the amavis-users
mailing list