MailScanner: No programs allowed (4workbook.bin)

Questions and answers about how to do stuff
Post Reply
omer
Posts: 39
Joined: 11 Oct 2017 15:23

MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello,

I just started using EFA. I am very happy in general terms. But there are a few minor problems and I have not figured out a long time.

Some people send e-mails with an extension of "xlsb" or similar. EFA is preventing these types of mail.

I saw some messages written on the forum to accept such files, but I could not get a solution.

How can I solve this. You help me with this.

I got the error message: MailScanner: No programs allowed (4workbook.bin)

Bad Content

I added the sender to the white list, but that was not the solution.

Thank you.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

To help with your problem:

1/ list the exact extensions here

2/ give the exact error message received for that extension

3/ tell us where you saw that error message (I need that information to make sure I am talking about the same thing you are talking about)
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello,

Extensions XLSB

http://prntscr.com/in78jz

Thank you.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

This is a message from the E.F.A. E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "FinansmanMuavin20180305110512.xlsb"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.

At Mon Mar 5 17:48:23 2018 the virus scanner said:
MailScanner: No programs allowed (4workbook.bin)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

Strange.

Are you sure there are no other systems that are scanning the mail?

I sent an xlsb file to myself and it was delivered correctly.

Also, in my system in the filename and filetypes configuration files, I have no references to any of these extensions.
The original e-mail attachment "FinansmanMuavin20180305110512.xlsb"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.

At Mon Mar 5 17:48:23 2018 the virus scanner said:
MailScanner: No programs allowed (4workbook.bin)
That error message seems unfamiliar to me, and it makes me think that there is another scanning system somewhere that is blocking those particular extensions. Are you absolutely sure how your mail flows from the outside world to the final destination?

Can you post the results of running the "clamconf" here so we can check if there is anything different therel


Does anyone else recognize those error messages?
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello,

Clamconf content is linked.
https://paste.ubuntu.com/p/7rr5vV2ZSc/
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

Thanks.

That’s not it then.

Can you tell me exactly what servers your mail passes through on your network?

Perhaps you can send me the headers of a message that has gone through and a massage that got the block message.

A PM will do if you don’t want to post the headers publically.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

Ok. that was tricky.

The problem is this:

Excel xlsb files are actually zip files. When you set the "Maximum Archive Depth" to a non zero value in /etc/MailScanner/MailScanner.conf then mailscanner will look inside the archives for bad file types.

In this case, the xlsb contains a file called workbook.bin and .bin is a banned file extension.

There are two solutions:

1/ disable the blocking of binary extensions. HAhaha.. no, I'm kidding. Never never do this.

2/ Disable the mailscanner archive scanning by setting the Maximum Archive Depth = 0 and restart mailscanner.

I'd previously disabled this years ago on my own installation, so I had forgotten all about it.

What's the downside of this? Well, spammers could send zip attachments containing the phish/viruses and they won't rejected outright, although there is a chance that clamav will catch it if it real virus.

If anyone has a better solution, I'd love to know about it.3
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Thank you very much for your help, PDWalker,
On your note, the mails are successful.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

No worries. It was a useful learning experience.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello

What to do for this. Similarly, these files are also blocked.

Report: MailScanner: Files containing CLSID's are trying to hide their real type (%7B90AD475B-0794.pdf)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

Can you forward me that attachment with that name? I believe you had my address. I would like to see if my system blocks it as well.

The only rule I can find in the archives and filename rules is the following:

Code: Select all

archives.filename.rules.conf: # Deny filenames containing CLSID's
archives.filename.rules.conf: deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
filename.rules.conf:          # Deny filenames containing CLSID's 
filename.rules.conf:          deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
I confess, I do not quite understand that regex. Any string containing the letters a to h (upper and lower), numbers 0-9, surrounded by curly braces and at least 25 characters long? But a CLSID looks like {557cf406-1a04-11d3-9a73-0000f81ef32e}

However your filename, %7B90AD475B-0794.pdf doesn't match that. %7b is a url encoded { character, but there is no matching }

You could try commenting out these rules, restarting mailscanner and send the the file to yourself again and see what happens and see if it resolves your issue.

However, I'm still confused as to why this rule seems to be the one triggering the block. It shouldn't be, but that's the only thing I can find that matches the error message.

:think: Hmmmm....
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

I do not have the file, unfortunately. I will ask the user to resend it. I created a file with the same name for experiment purposes and sent this file to myself. Mail came in without any problems.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

I wonder if you could "release" his previous message to an external address?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

an update:

The file name was {62F05FCF-5F9C-40EA-9AE7-364775407023}.pdf which I find to be rather a silly file name.

So, those two rules will deny this UUID based file name.

Two possible solutions:

Solution 1: disable these rules

Solution 2: tell the sender to send the file using a human readable file name.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello,

How should I organize the rule?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

Hi Ömer,

I’m not sure what you mean.

If these files are important and the names won’t change, you’ll need to disable the rules.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello
I think the file names are similar. So I want to define it as a rule. What kind of rule should I apply?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

My apologies Omer, I am not sure what you want to do.

Do you want to block files with this kind of name, or do you wish to let them through, or is it something else?
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

I want to allow this type of file.

Thank you.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: MailScanner: No programs allowed (4workbook.bin)

Post by pdwalker »

Oh! That's easy. Look in the following files for these lines:

Code: Select all

archives.filename.rules.conf: # Deny filenames containing CLSID's
archives.filename.rules.conf: deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
filename.rules.conf:          # Deny filenames containing CLSID's 
filename.rules.conf:          deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
Add in a # character in front of the deny command and that will disable the rule preventing these files from being delivered, like so:

Code: Select all

archives.filename.rules.conf: # Deny filenames containing CLSID's
archives.filename.rules.conf: # deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
filename.rules.conf:          # Deny filenames containing CLSID's 
filename.rules.conf:          # deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
The two files are in /etc/MailScanner/
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: MailScanner: No programs allowed (4workbook.bin)

Post by omer »

Hello,

I just applied the following rule and it worked fine.

filename.rules.conf: # deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type

Thank you so much.
Post Reply