[Esd-l] ZIP scanning, take two (repost)

Mark Wendt (Contractor) wendt at kingcrab.nrl.navy.mil
Tue Feb 24 02:56:12 PST 2004


At 01:26 PM 2/23/2004, John D. Hardin wrote:
>On Mon, 23 Feb 2004, Mark Wendt (Contractor) wrote:
>
> > Okay, maybe I misundertook sumthin' here.  Is the Sanitizer going
> > to actually unzip the file, read the contents, determine whether
> > or not it's one of the bad boys, and if so, quarantine (strip) the
> > zip?
>
>The sanitizer will look for the ZIP archive's filename in the standard
>poison and strip lists (the same as for DOC and XLS and other Office
>files) and will quarantine the message or strip the zip attachment
>based on the standard rules. In other words, the sanitizer now
>recognizes the extension ".ZIP".
>
>The sanitizer will then scan the first-level filenames within the ZIP
>(e.g. zipping a zip will still bypass the scan) and quarantine *the
>message* based on whether any filenames it finds match the filespecs
>in your ZIPPED_FILES policy list.
>
> > IF so, thatn turn it on by default.  If not, and we're going to
> > base the quarantine on the type of extension, I would rather see
> > it turned off as the default.
>
>The default is what will be used if you do not provide an explicit
>policy for the content of ZIP archive attachments. Providing no
>default will duplicate the way things are presently (e.g. zipped
>*anything* will bypass the sanitizer). Providing a default will force
>you to override it with an explicit local policy if you do not want to
>automatically quarantine (or in your case, discard) a lot of ZIPs.
>
>I take it you vote "no default ZIP policy"?

Changed my mind.  I initially missed the first level scan you mentioned in 
the paragraph above.  If the Sanitizer is scanning the zip file for certain 
file names, then by all means, turn it on by default!  You betcha!


> > We're extremely happy with the Sanitizer John, and look forward
> > to the new releases.
>
>Thanks! "nrl.navy.mil" - *that* is gratifying! :)

No, it's thank you for all the hard work in putting out a quality product


>--
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
>                                 -- Peter da Silva in a.s.r
>-----------------------------------------------------------------------
>    40 days until the Slovakian Presidential Election

Mark Wendt
System/Network Administrator
Code 8140
Naval Research Laboratory
4555 Overlook Ave, SW
Building 68, Room 219
Washington DC
202-767-0955
202-404-8520 Fax
===============================================
"Sendmail administration is not black magic.  There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
    - Unknown 


More information about the esd-l mailing list