On Thu, 2004-01-29 at 06:52, Peter Mueller wrote:
> > To the original poster then, I suggest just adding the "\s*$"
> > to the end
> > of file_list_2. Then your first rule will still catch
> > dangerous "middle
> > extensions".
>
> So something like..
>
> # Outlook Calender appointments
> file_list_2 += |ics
> # Source code:
> file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
> # Allow documents with some silly extensions through, e.g.
> Somecompany.com.doc
> File_list_2 += |\s*$
^
Remove that "pipe" and then you'll have what I meant.
e.g. file_list_2 += \s*$
> file_list_2_policy = accept
> file_list_2_scanner = 0
>
> > Perhaps it's then also worthwhile to add a double and/or triple
> > extension rule.
>
> File_list_2 += |\s*$\s*$\s*$ ?
You want to catch filenames with three dots in then, so it would be more
like this:
file_list_3 = \..*\..*\.
file_list_3_scanner = 0
file_list_3_policy = save
A safer way to order things might be:
list 1: virus scanner - drop/save infections, otherwise unknown
list 2: triple extension - drop/save attachment
list 3: allow known good extensions (e.g. ".doc", etc)
list 4: drop/save undesirable attachments (".exe", ".pif", etc.)
default: mangle
Here's a basic rule set that might work (untested, extension lists
incomplete):
file_list_rules = 4
file_list_policy = defang
# List 1 - everything goes through the virus scanner
file_list_1 = .*
file_list_1_scanner = 0:1:2:/path/to/virus/scanner
file_list_1_policy = unknown:save:save:save
# List 2 - triple extensions considered dangerous
file_list_2 = \..*\..*\.
file_list_2_scanner = 0
file_list_2_policy = save
# List 3 - explicitly allowed extensions (at end of filename)
file_list_3 = (?i)\.(doc|xls|txt|html?)\s*$
file_list_3_scanner = 0
file_list_3_policy = accept
# List 4 - dangerous file extensions (not always at the end of the name)
file_list_4 = (?i)\.(exe|pif|bat|cmd)\s*
file_list_4_scanner = 0
file_list_4_policy = save
Can anyone see potential problems with a setup like this?
Cheers,
Kevin.