I've been using this since before the "unknown" parameter, so that's kind
of new, and nice to me.
From a server load perspective, I would make the first rule, one that drops
bad files without scanning first, so that really evil vbs, scr, pif, cmd,
files (etc.) can be dropped without having to start a virus scanning
I know that every extension of the new MyDoom virus is immediatly dropped
(actually saved) on my mail server, with the exception of zip, which gets
That has kept my processor load reasonable, even while being pummeled with
I also have a list which allows through safe files, without scanning, but
YMMV with this one. My company uses Lotus Notes, and my Notes servers
perform a second level of virus scanning on all attachments, so this has
not raised any issues yet,
Personally, I would be happy blocking any files with two or more
extensions, and then I can feel kind of safe not scanning gif or txt files,
etc, but I can do that, because I am the only UNIX user in the company, and
I don't send .tar.gz files or the like via email.
| |\ Robert C. Litman \
| | | |
| http://www.rlitman.com |
__| ftp://ftp.rlitman.com |
/\ | |
| | | email@example.com |
| |/ /
<firstname.lastname@example.org To: email@example.com
Subject: RE: [anomy-list]: File exclusion question : Somecompany.com.doc
On Thu, 2004-01-29 at 06:52, Peter Mueller wrote:
> > To the original poster then, I suggest just adding the "\s*$"
> > to the end
> > of file_list_2. Then your first rule will still catch
> > dangerous "middle
> > extensions".
> So something like..
> # Outlook Calender appointments
> file_list_2 += |ics
> # Source code:
> file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
> # Allow documents with some silly extensions through, e.g.
> File_list_2 += |\s*$
Remove that "pipe" and then you'll have what I meant.
e.g. file_list_2 += \s*$
> file_list_2_policy = accept
> file_list_2_scanner = 0
> > Perhaps it's then also worthwhile to add a double and/or triple
> > extension rule.
> File_list_2 += |\s*$\s*$\s*$ ?
You want to catch filenames with three dots in then, so it would be more
file_list_3 = \..*\..*\.
file_list_3_scanner = 0
file_list_3_policy = save
A safer way to order things might be:
list 1: virus scanner - drop/save infections, otherwise unknown
list 2: triple extension - drop/save attachment
list 3: allow known good extensions (e.g. ".doc", etc)
list 4: drop/save undesirable attachments (".exe", ".pif", etc.)
Here's a basic rule set that might work (untested, extension lists
file_list_rules = 4
file_list_policy = defang
# List 1 - everything goes through the virus scanner
file_list_1 = .*
file_list_1_policy = unknown:save:save:save
# List 2 - triple extensions considered dangerous
file_list_2 = \..*\..*\.
file_list_2_scanner = 0
file_list_2_policy = save
# List 3 - explicitly allowed extensions (at end of filename)
file_list_3 = (?i)\.(doc|xls|txt|html?)\s*$
file_list_3_scanner = 0
file_list_3_policy = accept
# List 4 - dangerous file extensions (not always at the end of the name)
file_list_4 = (?i)\.(exe|pif|bat|cmd)\s*
file_list_4_scanner = 0
file_list_4_policy = save
Can anyone see potential problems with a setup like this?