Re: [AMaViS-user] Someone missed a virus..

> -----Original Message-----
> From: amavis-user-bounces@lists.sourceforge.net
> [mailto:amavis-user-bounces@lists.sourceforge.net] On Behalf
> Of Mark Martinec
> Sent: Saturday, June 16, 2007 9:17 AM
> To: amavis-user@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
>
> Michael,
>
> > Guess we have a path problem:
> > -r-xr-xr-x 1 root wheel 11232 Jun 1 07:36 /usr/local/bin/file
> > -r-xr-xr-x 1 root wheel 10300 Nov 8 2006 /usr/bin/file
> >
> > But, amavisd-new will use /usr/local/bin/file first?
> > Jun 16 07:34:44 fl amavis[15952]: Found $file at /usr/local/bin/file
>
> Yes, intentionally. Often the one installed by user is
> fresher that the one bundled with a system. But this is under
> user's control, the default $path variable in amavisd is
> empty, it is always explicitly assigned to in amavisd.conf, e.g.
>
> $path =
> '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
>
> > So, we patch amavisd or file?
>
> If file(1) gives wrong result, it needs to be fixed or
> replaced. I doubt there is anything in amavisd in this regard.

Noel 'hacked' amavisd and got it to work (well, workaround).

Not that I SUGGEST this, would this hurt anything?
Just adding a [qr/^Microsoft Installer\b/i => 'doc'], line under
office?

Quick edit to /usr/local/sbin/amavisd...
--- amavisd.2.5.1 Fri Jun 15 18:02:10 2007
+++ amavisd Fri Jun 15 18:07:31 2007
@@ -983,4 +983,5 @@
[qr/^Rich Text Format data\b/ => 'rtf'],
[qr/^Microsoft Office Document\b/i => 'doc'], # OLE2: doc, ppt,
xls, ...
+ [qr/^Microsoft Installer\b/i => 'doc'], # OLE2: doc, ppt, xls,
+ ...
[qr/^ms-windows meta(file|font)\b/i => 'wmf'],
[qr/^LaTeX\b.*\bdocument text\b/ => 'lat'],

And now it blocks it...
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1 Content-Type:
multipart/mixed
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1
Content-Type: text/plain, size: 14 B, name:
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2
Content-Type: application/msword, size: 216576 B, name:
test_document_with_EXE.doc
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path BANNED:1
njones@mgate2.vbhcs.org: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with_EXE.doc
| P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe",
matching_key="(?-xism:^\\.(exe-ms|dll)$)"


--
Noel Jones
__________________________________________________ _______________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
__________________________________________________ _______________________

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/