anomy-list

Re: Add-on available to check inside ZIP attachments

From: Alexey Lobanov (123407@xyz.molar.is)
Date: Sat 24 Apr 2004 - 13:49:11 GMT

  • Next message: Derrick Webber: "Re: Add-on available to check inside ZIP attachments"

    Hello all.

    Few corrections to Rick's zip_policy.pl

    1. Extension analysis must be case-independent. .EXE is not much better than .exe

    *** 74,80 ****
       # USER SETTINGS:

       # Regular expression of files not permitted in ZIP:
    ! my $filelist = '\.(exe|com|vb[se]|dll|ocx|pi|cmd|bat|pif?|lnk|hlp|ms[ip]|reg|sct|inf';
       $filelist .= '|asd|cab|sh[sb]|scr|cpl|chm|ws[fhc]|hta|vcd|swf|vcf|eml|nws';
       $filelist .= '|mim|uue?|b64|b[hq]x|xxe)';

    --- 74,80 ----
       # USER SETTINGS:

       # Regular expression of files not permitted in ZIP:
    ! my $filelist =
    '(?i)\.(exe|com|vb[se]|dll|ocx|pi|cmd|bat|pif?|lnk|hlp|ms[ip]|reg|sct|inf';
       $filelist .= '|asd|cab|sh[sb]|scr|cpl|chm|ws[fhc]|hta|vcd|swf|vcf|eml|nws';
       $filelist .= '|mim|uue?|b64|b[hq]x|xxe)';

    ***************

    2. /usr/bin/perl seems to be more universal default than /usr/local/bin/perl

    *** 1,4 ****
    ! #!/usr/local/bin/perl
       #
       # zip_policy.pl 0.01
       #
    --- 1,4 ----
    ! #!/usr/bin/perl
       #
       # zip_policy.pl 0.01
       #

    3. ($zip->eocdOffset() does not work in Archive::Zip 1.39, Debian 3.02. Should we
    define exact Archive::Zip version?

    *** 162,173 ****
             # Abort if this is a multi-disk zip:
             die "Multi-volume zip file. Cannot process.\n" if
    $zip->diskNumberWithStartOfCentralDirectory();

    - # Warn about file weirdness: (not certain this works as advertised)
    - if ($zip->eocdOffset())
    - {
    - warn "Zip file offset doesn't match file! Possibly altered.\n";
    - }
    -
             # Tally total files matching regexp:
             $disallowed += $zip->membersMatching( $filelist );

    Thank you for good tools!
    Alexey

    Rick Johnson wrote:

    > Derrick Webber wrote:
    >
    >
    >>We've posted "zip_policy.pl" to our web site. It's a small extension for
    >>Anomy Sanitizer that examines ZIP attachments for banned file
    >>extensions, encrypted content and other potential nastiness.
    >
    >
    > Thanks! In the past, we were using uvscan (can't open password protected
    > ZIPs) which meant that we were prone to receiving the encrypted ZIP
    > files sent by bagel.x - and had to enable a ClamAV milter solution
    > (ClamAV can detect these). While I won't be ditching that solution or
    > Sanitizer, I can add this script to ensure that the ZIP files that may
    > pass through ClamAV are properly dealt with.
    >
    > -Rick

    hosted by molar.is