anomy-list

RE: File exclusion question : Somecompany.com.doc

From: Kevin Shanahan (112635@xyz.molar.is)
Date: Wed 28 Jan 2004 - 21:31:50 GMT

  • Next message: 112819@xyz.molar.is: "RE: File exclusion question : Somecompany.com.doc"

    On Thu, 2004-01-29 at 06:52, Peter Mueller wrote:
    > > To the original poster then, I suggest just adding the "\s*$"
    > > to the end
    > > of file_list_2. Then your first rule will still catch
    > > dangerous "middle
    > > extensions".
    >
    > So something like..
    >
    > # Outlook Calender appointments
    > file_list_2 += |ics
    > # Source code:
    > file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
    > # Allow documents with some silly extensions through, e.g.
    > Somecompany.com.doc
    > File_list_2 += |\s*$
                     ^
    Remove that "pipe" and then you'll have what I meant.
    e.g. file_list_2 += \s*$

    > file_list_2_policy = accept
    > file_list_2_scanner = 0
    >
    > > Perhaps it's then also worthwhile to add a double and/or triple
    > > extension rule.
    >
    > File_list_2 += |\s*$\s*$\s*$ ?

    You want to catch filenames with three dots in then, so it would be more
    like this:

    file_list_3 = \..*\..*\.
    file_list_3_scanner = 0
    file_list_3_policy = save

    A safer way to order things might be:

    list 1: virus scanner - drop/save infections, otherwise unknown
    list 2: triple extension - drop/save attachment
    list 3: allow known good extensions (e.g. ".doc", etc)
    list 4: drop/save undesirable attachments (".exe", ".pif", etc.)
    default: mangle

    Here's a basic rule set that might work (untested, extension lists
    incomplete):

    file_list_rules = 4
    file_list_policy = defang

    # List 1 - everything goes through the virus scanner
    file_list_1 = .*
    file_list_1_scanner = 0:1:2:/path/to/virus/scanner
    file_list_1_policy = unknown:save:save:save

    # List 2 - triple extensions considered dangerous
    file_list_2 = \..*\..*\.
    file_list_2_scanner = 0
    file_list_2_policy = save

    # List 3 - explicitly allowed extensions (at end of filename)
    file_list_3 = (?i)\.(doc|xls|txt|html?)\s*$
    file_list_3_scanner = 0
    file_list_3_policy = accept

    # List 4 - dangerous file extensions (not always at the end of the name)
    file_list_4 = (?i)\.(exe|pif|bat|cmd)\s*
    file_list_4_scanner = 0
    file_list_4_policy = save

    Can anyone see potential problems with a setup like this?

    Cheers,
    Kevin.



    hosted by molar.is