block deny extension in .zip or .rar file
-
- Posts: 6
- Joined: 24 Jul 2017 05:42
block deny extension in .zip or .rar file
Hi,
I need to know how to block deny extension like \.src$, \.exe$, \.jar$ in zip or rar files simple duny extension blocked but then some try to send .src file in ZIP format EFA not blocked it i alos change the Maximum Processing Attempts 0 to 2,3 or 8 but stll not blocked deny ext. in zip/rar file.
I need to know how to block deny extension like \.src$, \.exe$, \.jar$ in zip or rar files simple duny extension blocked but then some try to send .src file in ZIP format EFA not blocked it i alos change the Maximum Processing Attempts 0 to 2,3 or 8 but stll not blocked deny ext. in zip/rar file.
Re: block deny extension in .zip or .rar file
Hi junaidakhan,
There are a couple of settings you need to check:
in /etc/MailScanner is a file called archives.filename.rules.conf and this controls what files are allowed in archives.
In my system, there is one rule to deny executables in archive files, specifically:
Next, I need to make sure that MailScanner is checking archive files. Look in /etc/MailScanner/MailScanner.conf for
In my case, I have disabled archive checking, so I let these extensions through as I rely on my antivirus checking to look for actual bad attachments. However, you'll need to change it to 1, 2 or more, depending on your desired result.
Give this a try and let us know if it works for you.
There are a couple of settings you need to check:
in /etc/MailScanner is a file called archives.filename.rules.conf and this controls what files are allowed in archives.
In my system, there is one rule to deny executables in archive files, specifically:
Code: Select all
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
Code: Select all
Maximum Archive Depth = 0
Give this a try and let us know if it works for you.
Re: block deny extension in .zip or .rar file
Also, does anyone know how MailScanner knows which configuration files to use for the allowed file extensions? - maybe there is a problem in the configuration and MailScanner doesn't know to use the archives.filename.rules.conf and archives.filetype.rules.conf configuration files for archives.
-
- Posts: 6
- Joined: 24 Jul 2017 05:42
Re: block deny extension in .zip or .rar file
i already do all these step but block extension like .scr not block in .zip or .rar file
Re: block deny extension in .zip or .rar file
What is your maximum archive depth setting?
-
- Posts: 6
- Joined: 24 Jul 2017 05:42
Re: block deny extension in .zip or .rar file
current depth setting is 2
Re: block deny extension in .zip or .rar file
Can you show me the contents of your archives.filename.rules.conf file?
Re: block deny extension in .zip or .rar file
Make sure you do have the below on the mailscanner config file.
Code: Select all
/etc/MailScanner/MailScanner.conf
Allow Password-Protected Archives = %rules-dir%/password-archives.rule
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: block deny extension in .zip or .rar file
Sorry for my bad English. I have same problem. EFA not found executable files in rar archives (.exe, .com etc)
My archives.filename.rules.conf contains
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
but .com and .exe files don't blocked in rar and 7z archives...
My archives.filename.rules.conf contains
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
but .com and .exe files don't blocked in rar and 7z archives...
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: block deny extension in .zip or .rar file
I'll run a test with this information and see if I can reproduce.
Re: block deny extension in .zip or .rar file
Any suggestions to solve the problem? I block RAR in filename.rules.conf and analyze files manually in quarantine...
The problem occurs after the update EFA.
The problem occurs after the update EFA.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: block deny extension in .zip or .rar file
So far I am unable to reproduce, but I am on a natively built appliance. Which version did you upgrade from, so that I can follow the same path?
Re: block deny extension in .zip or .rar file
Hey Guys
i have the same issues here... EFA-3.0.2.6.
in /etc/archive.filetype.rules.conf i have the following line:
Also Sophos will detect the File but not block. this report will be generated by Mail:
i'm a bit amazed about the following text in the Mail Access to the infected file was not allowed.
savd is running as root
anyone any idea?
i have the same issues here... EFA-3.0.2.6.
Code: Select all
Maximum Archive Depth = 4
Find Archives By Content = yes
Code: Select all
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
Code: Select all
A threat classified as 'Mal/FareitVB-N' was detected in the file '/var/spool/MailScanner/incoming/63033/0915B100F51.A0508/nQuotation $ Specification.zip' when attempting to open it at Fri Jul 12 15:05:26 2019 CEST +0300 (2019-07-12 13:05:26 UTC). Access to the infected file was not allowed.
savd is running as root
Code: Select all
root 1761 0.0 0.0 592508 5284 ? Sl Jul15 0:04 savd etc/savd.cfg
anyone any idea?
always happy for any hints and tipps! | EFA 3.0.2.6