Page 1 of 1
block deny extension in .zip or .rar file
Posted: 02 Apr 2018 06:29
by junaidakhan
Hi,
I need to know how to block deny extension like \.src$, \.exe$, \.jar$ in zip or rar files simple duny extension blocked but then some try to send .src file in ZIP format EFA not blocked it i alos change the Maximum Processing Attempts 0 to 2,3 or 8 but stll not blocked deny ext. in zip/rar file.
Re: block deny extension in .zip or .rar file
Posted: 03 Apr 2018 03:29
by pdwalker
Hi junaidakhan,
There are a couple of settings you need to check:
in /etc/MailScanner is a file called archives.filename.rules.conf and this controls what files are allowed in archives.
In my system, there is one rule to deny executables in archive files, specifically:
Code: Select all
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
Next, I need to make sure that MailScanner is checking archive files. Look in /etc/MailScanner/MailScanner.conf for
In my case, I have disabled archive checking, so I let these extensions through as I rely on my antivirus checking to look for actual bad attachments. However, you'll need to change it to 1, 2 or more, depending on your desired result.
Give this a try and let us know if it works for you.
Re: block deny extension in .zip or .rar file
Posted: 03 Apr 2018 03:32
by pdwalker
Also, does anyone know how MailScanner knows which configuration files to use for the allowed file extensions? - maybe there is a problem in the configuration and MailScanner doesn't know to use the archives.filename.rules.conf and archives.filetype.rules.conf configuration files for archives.
Re: block deny extension in .zip or .rar file
Posted: 10 Apr 2018 19:30
by junaidakhan
i already do all these step but block extension like .scr not block in .zip or .rar file
Re: block deny extension in .zip or .rar file
Posted: 11 Apr 2018 01:27
by pdwalker
What is your maximum archive depth setting?
Re: block deny extension in .zip or .rar file
Posted: 17 Apr 2018 04:20
by junaidakhan
current depth setting is 2
Re: block deny extension in .zip or .rar file
Posted: 18 Apr 2018 11:13
by pdwalker
Can you show me the contents of your archives.filename.rules.conf file?
Re: block deny extension in .zip or .rar file
Posted: 02 May 2018 12:41
by jamerson
Make sure you do have the below on the mailscanner config file.
Code: Select all
/etc/MailScanner/MailScanner.conf
Allow Password-Protected Archives = %rules-dir%/password-archives.rule
Re: block deny extension in .zip or .rar file
Posted: 07 May 2018 06:10
by flaitsman
Sorry for my bad English. I have same problem. EFA not found executable files in rar archives (.exe, .com etc)
My archives.filename.rules.conf contains
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
but .com and .exe files don't blocked in rar and 7z archives...
Re: block deny extension in .zip or .rar file
Posted: 08 May 2018 10:00
by shawniverson
I'll run a test with this information and see if I can reproduce.
Re: block deny extension in .zip or .rar file
Posted: 28 May 2018 18:18
by flaitsman
Any suggestions to solve the problem? I block RAR in filename.rules.conf and analyze files manually in quarantine...
The problem occurs after the update EFA.
Re: block deny extension in .zip or .rar file
Posted: 29 May 2018 21:53
by shawniverson
So far I am unable to reproduce, but I am on a natively built appliance. Which version did you upgrade from, so that I can follow the same path?
Re: block deny extension in .zip or .rar file
Posted: 16 Jul 2019 08:48
by benscha
Hey Guys
i have the same issues here... EFA-3.0.2.6.
Code: Select all
Maximum Archive Depth = 4
Find Archives By Content = yes
in /etc/archive.filetype.rules.conf i have the following line:
Code: Select all
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
Also Sophos will detect the File but not block. this report will be generated by Mail:
Code: Select all
A threat classified as 'Mal/FareitVB-N' was detected in the file '/var/spool/MailScanner/incoming/63033/0915B100F51.A0508/nQuotation $ Specification.zip' when attempting to open it at Fri Jul 12 15:05:26 2019 CEST +0300 (2019-07-12 13:05:26 UTC). Access to the infected file was not allowed.
i'm a bit amazed about the following text in the Mail
Access to the infected file was not allowed.
savd is running as root
Code: Select all
root 1761 0.0 0.0 592508 5284 ? Sl Jul15 0:04 savd etc/savd.cfg
anyone any idea?