[Esd-l] How to mangle contents of a .zip file?

John D. Hardin jhardin at impsec.org
Tue Mar 9 15:13:27 PST 2004


On Tue, 9 Mar 2004, Brian Hampton wrote:

> I recently set up .141 so that I could deal with all of the
> Beagle/Bagle .zip viruses shooting around.  But we do send quite a
> lot of legitimate executables within .zip files.

Internally, or with external partners/consultants/etc.?

> I misunderstood the new .zip file features, thinking it would simply
> mangle the name within the .zip file according to the same
> MANGLE_EXTENSIONS directive that straight attatchments are subject
> to.

Nope. The sanitizer is a single-pass streaming scanner, so it doesn't
have the ability to go back and alter the contents of attachments.

> Am I correct in my conclusion that the .141 version does not
> allow me to mangle filenames within .zip files?

You are correct.

> I have only been able to poison them thus far.  If so, is this
> something you would consider in the future?

Probably not. That's somewhat more intrusive and less reliable than I
want to make it, not to mention much more resource-intensive. For
instance, you probably wouldn't be able to enforce such a policy on
password-protected ZIP files.

> I would prefer to not treat an executable differently depending
> on if it's in a .zip file.  We don't poison much here, we simply
> defang (because we send so many legit executables around).

If your policy is that internal users are permitted to send other
internal users zipped executables, then you need to configure a policy
for that:

1) develop a procmail rule that will identify internal
source-and-destination messages (ideally based on the IP addresses in
the Received: headers), and then

2) use that rule to select the appropriate policy files, for example,
not considering zipped .EXE files bad for internal emails
($ZIPPED_EXECUTABLES points at a filespec list that does not have
"*.exe" in it). (You might also want to permit UNzipped executables in
internal email as well...)

The sanitizer is configured via environment variables and simple files
so that you can use the capabilities of procmail for the bulk of
configuring different policies.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   25 days until the Slovakian Presidential Election


More information about the esd-l mailing list