[Esd-l] question on poisoning of file

Daniel Marois DMarois at zoom-media.com
Fri Apr 19 08:07:00 PDT 2002


> -----Original Message-----
> From: esd-l-admin at spconnect.com [mailto:esd-l-admin at spconnect.com]On
> Behalf Of John D. Hardin
> Sent: April 18, 2002 3:05 PM
>
> On Thu, 18 Apr 2002, Daniel Marois wrote:
>
> > First I wanted to test the double extension and I sent myself a
> > dummy file named test.yxz.xya from another account and I received
> > the file without even the sanitizer seeing it (I checked in the
> > log and no attachment were seen)
>
> Did you also add .xya to the MANGLE_EXTENSIONS variable? Poisoning and
> stripping depend on that.
>

You are right! I did not understand this subtility in the sanitizer.
I did a quick check, and including the .rar in the mangle list allowed me to
poisoned test.rar and test.yx.rar , which is exactly what I was looking to
do this morning.

> > I am a little surprised, I always tought that whatever I put in
> > the poisoned list will get poisoned.
>
> Not in the current version. Poisoning and stripping only apply to
> mangled extensions + MS Office extensions (which are "special").
>
> Future plans are to remove this dependency. See the development files
> under http://www.impsec.org/email-tools/development/ for design
> thoughts - comments are solicited.
>

Now that I understand how it really works, I will take a look at that as my
needs over here are really more in the poisoned file that the mangled list.
Unfortunately my users did learn how to unmangle so everything is now
poisoned. They call me if they really need something.

> > I did some more testing and I found that all the poisoned names I
> > put without any wild card are fine but putting something line
> > *.jpg or *.wav do not work. However, the *.com and *.exe works ?!
>
> Huh. I'll have to take a look at that. It shouldn't poison an explicit
> filename that does not have a MANGELE extension.
>
I guess that you are right on this account as probably 98% of my poisoned
list contains viruses that have extensions already mangled.  A quick check
showed that the remaining probably do not work as they are in the form of
"worm.*" or have some king of wrong wildcard. I will revise them.

Many thanks John for your light on this.

Daniel Marois
Zoom Media inc.


> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l



More information about the esd-l mailing list