Topic: How to configure ClamAv to remove .exe, .bat attachments

[cb-wizard]

How do I configure ClamAv to remove .exe, .bat attachments files?

Thanks

Chris

[raem]

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

[cb-wizard]

Hi Ray,

Thank you for the info.

A couple of the rpms from Gordon Rowell has changed version and needs some additional files.

perl-perl-ldap >= 0.31-1 is needed by e-smith-email-4.15.0-07gr07
        perl-Net-Server >= 0.85-1 is needed by e-smith-email-4.15.0-07gr07
        sortspam >= 1.1.0-02 is needed by e-smith-email-4.15.0-07gr07


I can not seem to find the last file searching with Google.


Thanks

Chris

[riccge]

have a look here:
http://www.dungog.net/sme/files/email-patternmatch/patternmatch.txt

and

http://www.dungog.net/sme/files/email-patternmatch/patternmatch.quick.txt

[CharlieBrady]

How do I configure ClamAv to remove .exe, .bat attachments files?

clamav doesn't pull apart and re-assemble email messages. It just scans files and says whether they are good or bad.

[hanscees]

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

That contrib needs updating, since it is so valuable. I had a look into it and all packages should be other versions.

Shame, since blocking exex is usually good.

hc

[raem]

Just use the more recent versions of the rpms that Gordon released. Most of the current howto is still applicable. I will get around to updating it soon (been meaning to for a while).
You can find those other required rpms at
ftp://ftp.ibiblio.org/pub/linux/distributions/e-smith/devel/RPMS/i386/

[cb-wizard]

Hi,


Beautiful, working.

Thank you all for the help.


Chris

[raem]

Updated HOWTO
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

[hanscees]

Updated HOWTO
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

thanks.

On the 6.5 beta this howto does not work. There is no /etc/tcprules/tcp.smtp

don't know if that will break things.

Hans-Cees

[raem]

I have not tried it personally, but the release notes for sme 6.5 beta say that pattern matching functionality is included. I read a post in the that said the feature needed to be enabled with the appropriate command. That's why I included this paragraph in the howto:

"Additional Information:
Please note these rpms have been incorporated into the new contribs.org release of sme server v6.5 beta2. Pattern matching needs to be enabled using the commands listed below."

If anyone has any better information please advise and I can update the HOWTO.

[raem]

Updated HOWTO with specific section relating to sme v6.5
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

[hanscees]

Updated HOWTO with specific section relating to sme v6.5
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

I tested this on the 6.5b2. You can enable the patterns fine. But my test did not work how I expected it.

I thought it would block all exes. I added ghost.exe (dos exe), but it did not stop anything.

What would be a good test?

update:
some exes do get blocked, others don't. the install file of addmuncher does get blocked.

I will look into this further. I take it that the most dangerous things are added in the database?



Hans-Cees

[hanscees]

Tip to find the magic of a file: send it by email and watch the email as raw. Very simple.


found this link:
http://www.johncon.com/john/receivedIP/howto-virus.txt

it has many magic numbers of exe files that are used by viruses:

these are new:
T24gRXJ virus
TVoAAAI virus
TVpsAAE   virus
TVpAALQ virus
TVpQAAI virus
TVpsAAE virus
TVpyAXk virus

TVqQAAM  in howto: my tests show that mosts
windows exes are like this one: so block this for sure
TVpQAAI  in howto

UEsDBBQAAAAIA but this also blocks all zips: don't

the howto mentions these:
UEsDBAoAA zip version 1
UEsDBBQAA (zip version 2)

AHhUYXgg pif
AMlIbDk5Lm pif 2
AMkgICAg  another pif I found. Let's block these
AHhIYW5k  anther pif

I would say block these extra (all except zips, because zips do not execute right away):
AHhUYXgg
AMlIbDk5Lm
AMkgICAg
AHhIYW5k
T24gRXJ
TVoAAAI
TVpsAAE
TVpAALQ
TVpQAAI
TVpsAAE
TVpyAXk

so lets add them:

for i in {AHhUYXgg,AMlIbDk5Lm,AMkgICAg,AHhIYW5k}
do \
/sbin/e-smith/db mailpatterns set PIF$i pattern \
 Body $i Description "PIF$i data" \
Glob yes LineStart yes Status enabled; done

for i in {T24gRXJ,TVoAAAI,TVpsAAETVpAALQ,TVpQAAI,TVpsAAE,TVpyAXk}
do \
/sbin/e-smith/db mailpatterns set VIRMAG$i pattern \
 Body $i Description "VIRMAG$i data" \
Glob yes LineStart yes Status enabled; done

/sbin/e-smith/signal-event email-update

you can check them in the server-manager.

A question remaining is how exactly the magic is checked.

will
tv00
block tv00aas and tv00aas and so on? Or do you need an exact match?? I quess not, but would like to know for sure.

Hans-Cees

[hanscees]

Tip to find the magic of a file: send it by email and watch the email as raw. Very simple.


found this link:
http://www.johncon.com/john/receivedIP/howto-virus.txt

it has many magic numbers of exe files that are used by viruses:

these are new:
T24gRXJ virus
TVoAAAI virus
TVpsAAE   virus
TVpAALQ virus
TVpQAAI virus
TVpsAAE virus
TVpyAXk virus

Hans-Cees

How does this work exactly???

When I post the text of the previous post here to my sme server with the numerous file magic blocked, that text message is blocked???

I was presuming a block would only be set on a base64 block. But this seems to be a normal regexps block???
That must be wrong surely! Is that a bug?

Hans-Cees