Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: cb-wizard on February 01, 2005, 09:19:36 AM
-
How do I configure ClamAv to remove .exe, .bat attachments files?
Thanks
Chris
-
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm
-
Hi Ray,
Thank you for the info.
A couple of the rpms from Gordon Rowell has changed version and needs some additional files.
perl-perl-ldap >= 0.31-1 is needed by e-smith-email-4.15.0-07gr07
perl-Net-Server >= 0.85-1 is needed by e-smith-email-4.15.0-07gr07
sortspam >= 1.1.0-02 is needed by e-smith-email-4.15.0-07gr07
I can not seem to find the last file searching with Google.
Thanks
Chris
-
have a look here:
http://www.dungog.net/sme/files/email-patternmatch/patternmatch.txt
and
http://www.dungog.net/sme/files/email-patternmatch/patternmatch.quick.txt
-
How do I configure ClamAv to remove .exe, .bat attachments files?
clamav doesn't pull apart and re-assemble email messages. It just scans files and says whether they are good or bad.
-
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm
That contrib needs updating, since it is so valuable. I had a look into it and all packages should be other versions.
Shame, since blocking exex is usually good.
hc
-
Just use the more recent versions of the rpms that Gordon released. Most of the current howto is still applicable. I will get around to updating it soon (been meaning to for a while).
You can find those other required rpms at
ftp://ftp.ibiblio.org/pub/linux/distributions/e-smith/devel/RPMS/i386/
-
Hi,
Beautiful, working.
Thank you all for the help.
Chris
-
Updated HOWTO
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm
-
Updated HOWTO
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm
thanks.
On the 6.5 beta this howto does not work. There is no /etc/tcprules/tcp.smtp
don't know if that will break things.
Hans-Cees
-
I have not tried it personally, but the release notes for sme 6.5 beta say that pattern matching functionality is included. I read a post in the that said the feature needed to be enabled with the appropriate command. That's why I included this paragraph in the howto:
"Additional Information:
Please note these rpms have been incorporated into the new contribs.org release of sme server v6.5 beta2. Pattern matching needs to be enabled using the commands listed below."
If anyone has any better information please advise and I can update the HOWTO.
-
Updated HOWTO with specific section relating to sme v6.5
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm
-
Updated HOWTO with specific section relating to sme v6.5
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm
I tested this on the 6.5b2. You can enable the patterns fine. But my test did not work how I expected it.
I thought it would block all exes. I added ghost.exe (dos exe), but it did not stop anything.
What would be a good test?
update:
some exes do get blocked, others don't. the install file of addmuncher does get blocked.
I will look into this further. I take it that the most dangerous things are added in the database?
Hans-Cees
-
Tip to find the magic of a file: send it by email and watch the email as raw. Very simple.
found this link:
http://www.johncon.com/john/receivedIP/howto-virus.txt
it has many magic numbers of exe files that are used by viruses:
these are new:
T24gRXJ virus
TVoAAAI virus
TVpsAAE virus
TVpAALQ virus
TVpQAAI virus
TVpsAAE virus
TVpyAXk virus
TVqQAAM in howto: my tests show that mosts
windows exes are like this one: so block this for sure
TVpQAAI in howto
UEsDBBQAAAAIA but this also blocks all zips: don't
the howto mentions these:
UEsDBAoAA zip version 1
UEsDBBQAA (zip version 2)
AHhUYXgg pif
AMlIbDk5Lm pif 2
AMkgICAg another pif I found. Let's block these
AHhIYW5k anther pif
I would say block these extra (all except zips, because zips do not execute right away):
AHhUYXgg
AMlIbDk5Lm
AMkgICAg
AHhIYW5k
T24gRXJ
TVoAAAI
TVpsAAE
TVpAALQ
TVpQAAI
TVpsAAE
TVpyAXk
so lets add them:
for i in {AHhUYXgg,AMlIbDk5Lm,AMkgICAg,AHhIYW5k}
do \
/sbin/e-smith/db mailpatterns set PIF$i pattern \
Body $i Description "PIF$i data" \
Glob yes LineStart yes Status enabled; done
for i in {T24gRXJ,TVoAAAI,TVpsAAETVpAALQ,TVpQAAI,TVpsAAE,TVpyAXk}
do \
/sbin/e-smith/db mailpatterns set VIRMAG$i pattern \
Body $i Description "VIRMAG$i data" \
Glob yes LineStart yes Status enabled; done
/sbin/e-smith/signal-event email-update
you can check them in the server-manager.
A question remaining is how exactly the magic is checked.
will
tv00
block tv00aas and tv00aas and so on? Or do you need an exact match?? I quess not, but would like to know for sure.
Hans-Cees
-
Tip to find the magic of a file: send it by email and watch the email as raw. Very simple.
found this link:
http://www.johncon.com/john/receivedIP/howto-virus.txt
it has many magic numbers of exe files that are used by viruses:
these are new:
T24gRXJ virus
TVoAAAI virus
TVpsAAE virus
TVpAALQ virus
TVpQAAI virus
TVpsAAE virus
TVpyAXk virus
Hans-Cees
How does this work exactly???
When I post the text of the previous post here to my sme server with the numerous file magic blocked, that text message is blocked???
I was presuming a block would only be set on a base64 block. But this seems to be a normal regexps block???
That must be wrong surely! Is that a bug?
Hans-Cees
-
Hi,
fyi and those that will search later on and find this.
If you add magic file-patterns "pattern" like this, it results in smtpfront doing a grep like this: "^pattern*" on your incoming mail. Therefore if you send an email with such a line in it, attachment or not, it will be denied.
for example:
you block "ttttuuuuvvvv"
any email with two lines in it like this:
[empty line]
ttttuuuuvvvv
will be blocked. (there has to be an empty line in it.)
It ends up in /var/qmail/control/patterns.default.
Via /home/e-smith/mailpatterns
Hans-Cees
-
Dear hanscees
I wanted to answer you earlier, but I have been busy with other things.
> I thought it would block all exes. I added
> ghost.exe (dos exe), but it did not stop anything.
It does not block all exe files as such, but blocks patterns that represent executable code, it so happens that many (most) exe files match the code (as you would expect they should do).
> What would be a good test?
Any type of file that matches one of the patterns.
Win2000 C:/WINNT/explorer.exe gets blocked
> I take it that the most dangerous things are added in the database?
Not the most dangerous as such (although they are) but patterns of files that have been used by virus writers, whatever type of file they are; exe, bat, gif, scr, zip (v1). The file type is not recognised but the pattern is. Virus writers will masquerade the exe file as a gif for example.
I'd say the most commonly known about patterns are in the default database. I'm seeing a few more "new" patterns appearing in viruses.
> Tip to find the magic of a file: send it by email > and watch the email as raw.
You can also see it in the Message Source of email messages, which I think is the same as you are suggesting.
Alternatively if you have clamav installed as a backup virus scanner (which is still recommended) then any viruses that are not identified by pattern matching will be (hopefully) detected by clamav and end up in the /var/spool/amavis-ng/quarantined folder. Look at the *.msg file to see the "patterm magic". Look in the *.log file to see the type of virus that has been detected.
> A question remaining is how exactly the magic is
> checked, will tv00 block tv00aas and so on?
> Or do you need an exact match??
A message will be blocked if a pattern is matched, therefore if your pattern is tv00 then that will block tv00 or tv00aas or tv00aasrrrtyui.
It will not block tv0 as that does not match the minimum pattern. The "trick" is to ensure the pattern is long enough (reduces statistical error dramatically) and truly representative of the virus.
Patterns of 9 characters length give a very high rate of accuracy.
> you block "ttttuuuuvvvv"
> any email with two lines in it like this:
> [empty line]
> ttttuuuuvvvv
> will be blocked. (there has to be an empty line in it.)
That appears to be correct. It is as if the system is detecting that pattern in the message. If you look at messages you will see that that is the srrangement of the code pattern in most messages ie blank line followed by code pattern on the next line.
If you want to send some bits of pattern code in a message just preceed it with any character eg
[blank line]
"TVAAAA
or don't have a blank line in front of it eg
text text text
TVAAAA
> That must be wrong surely! Is that a bug?
No, I think it's a "feature" !!
I'll look at your patterns and that link in more detail later.
Thanks
-
Does anyone have the following files:-
http://www.dungog.net/sme/files/email-patternmatch/patternmatch.txt
and
http://www.dungog.net/sme/files/email-patternmatch/patternmatch.quick.txt
Thank you in advance.
Daley
-
daley
Original & full version here:
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm