Page 1 of 1

MailScanner: No programs allowed (4workbook.bin)

Posted: 05 Mar 2018 10:44
by omer
Hello,

I just started using EFA. I am very happy in general terms. But there are a few minor problems and I have not figured out a long time.

Some people send e-mails with an extension of "xlsb" or similar. EFA is preventing these types of mail.

I saw some messages written on the forum to accept such files, but I could not get a solution.

How can I solve this. You help me with this.

I got the error message: MailScanner: No programs allowed (4workbook.bin)

Bad Content

I added the sender to the white list, but that was not the solution.

Thank you.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 05 Mar 2018 16:22
by pdwalker
To help with your problem:

1/ list the exact extensions here

2/ give the exact error message received for that extension

3/ tell us where you saw that error message (I need that information to make sure I am talking about the same thing you are talking about)

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 05 Mar 2018 16:56
by omer
Hello,

Extensions XLSB

http://prntscr.com/in78jz

Thank you.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 05 Mar 2018 18:59
by omer
This is a message from the E.F.A. E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "FinansmanMuavin20180305110512.xlsb"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.

At Mon Mar 5 17:48:23 2018 the virus scanner said:
MailScanner: No programs allowed (4workbook.bin)

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 06 Mar 2018 09:20
by pdwalker
Strange.

Are you sure there are no other systems that are scanning the mail?

I sent an xlsb file to myself and it was delivered correctly.

Also, in my system in the filename and filetypes configuration files, I have no references to any of these extensions.
The original e-mail attachment "FinansmanMuavin20180305110512.xlsb"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.

At Mon Mar 5 17:48:23 2018 the virus scanner said:
MailScanner: No programs allowed (4workbook.bin)
That error message seems unfamiliar to me, and it makes me think that there is another scanning system somewhere that is blocking those particular extensions. Are you absolutely sure how your mail flows from the outside world to the final destination?

Can you post the results of running the "clamconf" here so we can check if there is anything different therel


Does anyone else recognize those error messages?

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 06 Mar 2018 13:39
by omer
Hello,

Clamconf content is linked.
https://paste.ubuntu.com/p/7rr5vV2ZSc/

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 06 Mar 2018 18:22
by pdwalker
Thanks.

That’s not it then.

Can you tell me exactly what servers your mail passes through on your network?

Perhaps you can send me the headers of a message that has gone through and a massage that got the block message.

A PM will do if you don’t want to post the headers publically.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 07 Mar 2018 03:52
by pdwalker
Ok. that was tricky.

The problem is this:

Excel xlsb files are actually zip files. When you set the "Maximum Archive Depth" to a non zero value in /etc/MailScanner/MailScanner.conf then mailscanner will look inside the archives for bad file types.

In this case, the xlsb contains a file called workbook.bin and .bin is a banned file extension.

There are two solutions:

1/ disable the blocking of binary extensions. HAhaha.. no, I'm kidding. Never never do this.

2/ Disable the mailscanner archive scanning by setting the Maximum Archive Depth = 0 and restart mailscanner.

I'd previously disabled this years ago on my own installation, so I had forgotten all about it.

What's the downside of this? Well, spammers could send zip attachments containing the phish/viruses and they won't rejected outright, although there is a chance that clamav will catch it if it real virus.

If anyone has a better solution, I'd love to know about it.3

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 07 Mar 2018 22:08
by omer
Thank you very much for your help, PDWalker,
On your note, the mails are successful.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 08 Mar 2018 04:13
by pdwalker
No worries. It was a useful learning experience.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 12 Mar 2018 14:22
by omer
Hello

What to do for this. Similarly, these files are also blocked.

Report: MailScanner: Files containing CLSID's are trying to hide their real type (%7B90AD475B-0794.pdf)

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 12 Mar 2018 16:35
by pdwalker
Can you forward me that attachment with that name? I believe you had my address. I would like to see if my system blocks it as well.

The only rule I can find in the archives and filename rules is the following:

Code: Select all

archives.filename.rules.conf: # Deny filenames containing CLSID's
archives.filename.rules.conf: deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
filename.rules.conf:          # Deny filenames containing CLSID's 
filename.rules.conf:          deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
I confess, I do not quite understand that regex. Any string containing the letters a to h (upper and lower), numbers 0-9, surrounded by curly braces and at least 25 characters long? But a CLSID looks like {557cf406-1a04-11d3-9a73-0000f81ef32e}

However your filename, %7B90AD475B-0794.pdf doesn't match that. %7b is a url encoded { character, but there is no matching }

You could try commenting out these rules, restarting mailscanner and send the the file to yourself again and see what happens and see if it resolves your issue.

However, I'm still confused as to why this rule seems to be the one triggering the block. It shouldn't be, but that's the only thing I can find that matches the error message.

:think: Hmmmm....

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 12 Mar 2018 18:45
by omer
I do not have the file, unfortunately. I will ask the user to resend it. I created a file with the same name for experiment purposes and sent this file to myself. Mail came in without any problems.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 13 Mar 2018 06:29
by pdwalker
I wonder if you could "release" his previous message to an external address?

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 21 Mar 2018 04:57
by pdwalker
an update:

The file name was {62F05FCF-5F9C-40EA-9AE7-364775407023}.pdf which I find to be rather a silly file name.

So, those two rules will deny this UUID based file name.

Two possible solutions:

Solution 1: disable these rules

Solution 2: tell the sender to send the file using a human readable file name.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 21 Mar 2018 05:38
by omer
Hello,

How should I organize the rule?

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 21 Mar 2018 17:47
by pdwalker
Hi Ömer,

I’m not sure what you mean.

If these files are important and the names won’t change, you’ll need to disable the rules.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 21 Mar 2018 17:49
by omer
Hello
I think the file names are similar. So I want to define it as a rule. What kind of rule should I apply?

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 23 Mar 2018 05:54
by pdwalker
My apologies Omer, I am not sure what you want to do.

Do you want to block files with this kind of name, or do you wish to let them through, or is it something else?

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 23 Mar 2018 07:53
by omer
I want to allow this type of file.

Thank you.

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 23 Mar 2018 17:10
by pdwalker
Oh! That's easy. Look in the following files for these lines:

Code: Select all

archives.filename.rules.conf: # Deny filenames containing CLSID's
archives.filename.rules.conf: deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
filename.rules.conf:          # Deny filenames containing CLSID's 
filename.rules.conf:          deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
Add in a # character in front of the deny command and that will disable the rule preventing these files from being delivered, like so:

Code: Select all

archives.filename.rules.conf: # Deny filenames containing CLSID's
archives.filename.rules.conf: # deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
filename.rules.conf:          # Deny filenames containing CLSID's 
filename.rules.conf:          # deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
The two files are in /etc/MailScanner/

Re: MailScanner: No programs allowed (4workbook.bin)

Posted: 25 Mar 2018 09:37
by omer
Hello,

I just applied the following rule and it worked fine.

filename.rules.conf: # deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type

Thank you so much.