anomy-list

Anomy not processing certain attachments

From: Jackson, Jeff (121104@xyz.molar.is)
Date: Wed 31 Mar 2004 - 23:14:13 GMT


Anomy is missing certain files that it should be catching. These are always files infected with one variant or another of the SomeFool worm.

Files with headers like this:

  ------=_NextPart_000_0008_000040A3.0000606D
  Content-Type: application/octet-stream;
          name="your_letter.pif"
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment;
          filename="your_letter.pif"

And like this:

  --42844388
  Content-Type: text/plain; charset=us-ascii
  Content-Transfer-Encoding: 7bit
 
  misc
 
  --42844388
  Content-Type: application/x-zip-compressed; name="mail2.zip"
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment; filename="mail2.zip"

These messages are being processed through Anomy, but Anomy isn't touching the attachment. The .zip file should have been caught by rule set 1 (see below). Both the .zip and .pif file should have been scanned and dropped by rule set 2, which runs clamdscan. When I manually run clamdscan against the messages, it detects the virus. Finally, the .pif file should have been dropped by rule set 5, which drops files with various extensions. This rules work against the test files I push through the system, so I know the rules can work. So, my question is, why is anomy allowing these particular files to go through? Anomy is running on a RH9 box with the latest version of Postfix.

Jeff

# Scan zip files for banned file extensions
file_list_1 = (?i)(\.zip\s*)
file_list_1_policy = unknown:save:save:save
file_list_1_scanner = 0:::/usr/local/bin/zip_policy.pl %FILENAME

# Attempt to scan attachments with ClamAV
file_list_2 = (?i).*
file_list_2_policy = unknown:mangle:save:save
file_list_2_scanner = 0:2:3:/usr/local/anomy/bin/clamav.sh %FILENAME

# Delete executable, script and unscannable attachments:
file_list_5 = (?i)(\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]
file_list_5 += |isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp
file_list_5 += |ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht
file_list_5 += |url|exe|ws[cfh]|ops|com|prx))\s*$
file_list_5_policy = drop
file_list_5_scanner = 0



hosted by molar.is