anomy-list

RE: File exclusion question : Somecompany.com.doc

From: 112819@xyz.molar.is
Date: Wed 28 Jan 2004 - 22:21:44 GMT

  • Next message: Jeff Peterson: "Re: Re: zip files from W32/Mydoom@MM"

    I've been using this since before the "unknown" parameter, so that's kind
    of new, and nice to me.
    From a server load perspective, I would make the first rule, one that drops
    bad files without scanning first, so that really evil vbs, scr, pif, cmd,
    files (etc.) can be dropped without having to start a virus scanning
    process.
    I know that every extension of the new MyDoom virus is immediatly dropped
    (actually saved) on my mail server, with the exception of zip, which gets
    scanned first.
    That has kept my processor load reasonable, even while being pummeled with
    email.
    I also have a list which allows through safe files, without scanning, but
    YMMV with this one. My company uses Lotus Notes, and my Notes servers
    perform a second level of virus scanning on all attachments, so this has
    not raised any issues yet,
    Personally, I would be happy blocking any files with two or more
    extensions, and then I can feel kind of safe not scanning gif or txt files,
    etc, but I can do that, because I am the only UNIX user in the company, and
    I don't send .tar.gz files or the like via email.

      _______________________________________
     /\ \
    | |\ Robert C. Litman \
    | | | |
    \/__| |
        | http://www.rlitman.com |
      __| ftp://ftp.rlitman.com |
     /\ | |
    | | | 112861@xyz.molar.is |
    | |/ /
    \/_______________________________________/

                                                                                                                                                 
                          Kevin Shanahan
                          <112903@xyz.molar.is To: 112768@xyz.molar.is
                          g.au> cc:
                                                   Subject: RE: [anomy-list]: File exclusion question : Somecompany.com.doc
                          01/28/2004 04:31
                          PM
                                                                                                                                                 
                                                                                                                                                 

    On Thu, 2004-01-29 at 06:52, Peter Mueller wrote:
    > > To the original poster then, I suggest just adding the "\s*$"
    > > to the end
    > > of file_list_2. Then your first rule will still catch
    > > dangerous "middle
    > > extensions".
    >
    > So something like..
    >
    > # Outlook Calender appointments
    > file_list_2 += |ics
    > # Source code:
    > file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
    > # Allow documents with some silly extensions through, e.g.
    > Somecompany.com.doc
    > File_list_2 += |\s*$
                     ^
    Remove that "pipe" and then you'll have what I meant.
    e.g. file_list_2 += \s*$

    > file_list_2_policy = accept
    > file_list_2_scanner = 0
    >
    > > Perhaps it's then also worthwhile to add a double and/or triple
    > > extension rule.
    >
    > File_list_2 += |\s*$\s*$\s*$ ?

    You want to catch filenames with three dots in then, so it would be more
    like this:

    file_list_3 = \..*\..*\.
    file_list_3_scanner = 0
    file_list_3_policy = save

    A safer way to order things might be:

    list 1: virus scanner - drop/save infections, otherwise unknown
    list 2: triple extension - drop/save attachment
    list 3: allow known good extensions (e.g. ".doc", etc)
    list 4: drop/save undesirable attachments (".exe", ".pif", etc.)
    default: mangle

    Here's a basic rule set that might work (untested, extension lists
    incomplete):

    file_list_rules = 4
    file_list_policy = defang

    # List 1 - everything goes through the virus scanner
    file_list_1 = .*
    file_list_1_policy = unknown:save:save:save

    # List 2 - triple extensions considered dangerous
    file_list_2 = \..*\..*\.
    file_list_2_scanner = 0
    file_list_2_policy = save

    # List 3 - explicitly allowed extensions (at end of filename)
    file_list_3 = (?i)\.(doc|xls|txt|html?)\s*$
    file_list_3_scanner = 0
    file_list_3_policy = accept

    # List 4 - dangerous file extensions (not always at the end of the name)
    file_list_4 = (?i)\.(exe|pif|bat|cmd)\s*
    file_list_4_scanner = 0
    file_list_4_policy = save

    Can anyone see potential problems with a setup like this?

    Cheers,
    Kevin.



    hosted by molar.is