block deny extension in .zip or .rar file

General eFa discussion
Post Reply
junaidakhan
Posts: 6
Joined: 24 Jul 2017 05:42

block deny extension in .zip or .rar file

Post by junaidakhan » 02 Apr 2018 06:29

Hi,

I need to know how to block deny extension like \.src$, \.exe$, \.jar$ in zip or rar files simple duny extension blocked but then some try to send .src file in ZIP format EFA not blocked it i alos change the Maximum Processing Attempts 0 to 2,3 or 8 but stll not blocked deny ext. in zip/rar file.

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: block deny extension in .zip or .rar file

Post by pdwalker » 03 Apr 2018 03:29

Hi junaidakhan,

There are a couple of settings you need to check:

in /etc/MailScanner is a file called archives.filename.rules.conf and this controls what files are allowed in archives.

In my system, there is one rule to deny executables in archive files, specifically:

Code: Select all

# These 2 added by popular demand - Very often used by viruses
deny    \.com$    Windows/DOS Executable                    Executable DOS/Windows programs are dangerous in email
deny    \.exe$    Windows/DOS Executable                    Executable DOS/Windows programs are dangerous in email

# These are very dangerous and have been used to hide viruses
deny    \.scr$    Possible virus hidden in a screensaver    Windows Screensavers are often used to hide viruses
Next, I need to make sure that MailScanner is checking archive files. Look in /etc/MailScanner/MailScanner.conf for

Code: Select all

Maximum Archive Depth = 0
In my case, I have disabled archive checking, so I let these extensions through as I rely on my antivirus checking to look for actual bad attachments. However, you'll need to change it to 1, 2 or more, depending on your desired result.

Give this a try and let us know if it works for you.

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: block deny extension in .zip or .rar file

Post by pdwalker » 03 Apr 2018 03:32

Also, does anyone know how MailScanner knows which configuration files to use for the allowed file extensions? - maybe there is a problem in the configuration and MailScanner doesn't know to use the archives.filename.rules.conf and archives.filetype.rules.conf configuration files for archives.

junaidakhan
Posts: 6
Joined: 24 Jul 2017 05:42

Re: block deny extension in .zip or .rar file

Post by junaidakhan » 10 Apr 2018 19:30

i already do all these step but block extension like .scr not block in .zip or .rar file

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: block deny extension in .zip or .rar file

Post by pdwalker » 11 Apr 2018 01:27

What is your maximum archive depth setting?

junaidakhan
Posts: 6
Joined: 24 Jul 2017 05:42

Re: block deny extension in .zip or .rar file

Post by junaidakhan » 17 Apr 2018 04:20

current depth setting is 2

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: block deny extension in .zip or .rar file

Post by pdwalker » 18 Apr 2018 11:13

Can you show me the contents of your archives.filename.rules.conf file?

jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: block deny extension in .zip or .rar file

Post by jamerson » 02 May 2018 12:41

Make sure you do have the below on the mailscanner config file.

Code: Select all

/etc/MailScanner/MailScanner.conf
Allow Password-Protected Archives = %rules-dir%/password-archives.rule
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

flaitsman
Posts: 3
Joined: 21 Dec 2017 18:36

Re: block deny extension in .zip or .rar file

Post by flaitsman » 07 May 2018 06:10

Sorry for my bad English. I have same problem. EFA not found executable files in rar archives (.exe, .com etc)
My archives.filename.rules.conf contains
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
but .com and .exe files don't blocked in rar and 7z archives...

User avatar
shawniverson
Posts: 2821
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: block deny extension in .zip or .rar file

Post by shawniverson » 08 May 2018 10:00

I'll run a test with this information and see if I can reproduce.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

flaitsman
Posts: 3
Joined: 21 Dec 2017 18:36

Re: block deny extension in .zip or .rar file

Post by flaitsman » 28 May 2018 18:18

Any suggestions to solve the problem? I block RAR in filename.rules.conf and analyze files manually in quarantine...
The problem occurs after the update EFA.

User avatar
shawniverson
Posts: 2821
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: block deny extension in .zip or .rar file

Post by shawniverson » 29 May 2018 21:53

So far I am unable to reproduce, but I am on a natively built appliance. Which version did you upgrade from, so that I can follow the same path?
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

benscha
Posts: 18
Joined: 23 Jan 2018 07:19

Re: block deny extension in .zip or .rar file

Post by benscha » 16 Jul 2019 08:48

Hey Guys

i have the same issues here... EFA-3.0.2.6.

Code: Select all

Maximum Archive Depth = 4
Find Archives By Content = yes
in /etc/archive.filetype.rules.conf i have the following line:

Code: Select all

deny	\.exe$	Windows/DOS Executable	Executable DOS/Windows programs are dangerous in email
Also Sophos will detect the File but not block. this report will be generated by Mail:

Code: Select all

A threat classified as 'Mal/FareitVB-N' was detected in the file '/var/spool/MailScanner/incoming/63033/0915B100F51.A0508/nQuotation $ Specification.zip' when attempting to open it at Fri Jul 12 15:05:26 2019 CEST +0300 (2019-07-12 13:05:26 UTC).  Access to the infected file was not allowed.
i'm a bit amazed about the following text in the Mail Access to the infected file was not allowed.

savd is running as root

Code: Select all

root      1761  0.0  0.0 592508  5284 ?        Sl   Jul15   0:04 savd etc/savd.cfg

anyone any idea?
always happy for any hints and tipps! :clap: | EFA 3.0.2.6

Post Reply