Not scanning in zip files

[fredcyr]

Hi,

I'm running version 3.0.0.6 and added the following line in the /etc/Mailscanner/archives.filetype.rules.conf to block screen-saver files in zip files.

Code: Select all

deny    \.scr$          No Screen Saver         No Screen Saver Allowed

In Mailscanner.conf the "Archives: Filename Rules" is pointing to that file.

I've restarted the Mailscanner service but EFA is letting a SCR file in a ZIP pass through.

Any idea why?

Thanks

Fred

[shawniverson]

In /etc/MailScanner/MailScanner.conf:

Code: Select all

# The maximum depth to which zip archives, rar archives and Microsoft Office
# documents will be unpacked, to allow for checking filenames and filetypes
# within zip and rar archives and embedded within Office documents.
#
# Note: This setting does *not* affect virus scanning in archives at all.
#
# To disable this feature set this to 0.
# A common useful setting is this option = 0, and Allow Password-Protected
# Archives = no. That block password-protected archives but does not do
# any filename/filetype checks on the files within the archive.
# This can also be the filename of a ruleset.
Maximum Archive Depth = 0

You need to set this to a value greater than zero and then restart MailScanner

Code: Select all

sudo service MailScanner restart

[fredcyr]

Thanks!

It's working now.

[curibe]

can you give more details what "Maximum Archive Depth" does?? i believe the default is -1. what does -1 do?

[shawniverson]

-1 is infinite depth, with is not adviseable.

Code: Select all

# The maximum depth to which zip archives, rar archives and Microsoft Office
# documents will be unpacked, to allow for checking filenames and filetypes
# within zip and rar archives and embedded within Office documents.
#
# Note: This setting does *not* affect virus scanning in archives at all.
#
# To disable this feature set this to 0.
# A common useful setting is this option = 0, and Allow Password-Protected
# Archives = no. That block password-protected archives but does not do
# any filename/filetype checks on the files within the archive.
# This can also be the filename of a ruleset.
Maximum Archive Depth = 0

This setting just works for filename and filetype scanning rulesets.

[rdns]

I have set Maximum Archive Depth = 2. Seems like zipped Office 2003 files are blocked. Any suggestions?

[shawniverson]

Can you share more info? What does the zipped file look like (filename) ?

[rdns]

Thank you so much. Sender says that Lotus notes automatically zips the attachments and the attachments are named quote 4-14-15.zip The zip file contains a .doc file created by MS word 97-2003.

[shawniverson]

What is the name of the .doc file inside the zipped file?

[rdns]

Same as the zip file name except it has .doc Sender says they use lotous notes. Lotous notes automatically zips attachments. These zips attachments are very low in size. Less than 200KB.

[shawniverson]

Ok, now, can you post the exact block reason for the zipped doc file as it appears in the blocked file report?

You can find this by clicking the email in MailWatch and looking at the message details.

[rdns]

MailScanner: Message contained archive nested too deeply

[shawniverson]

Thank you.

Increase the depth on this setting...

Code: Select all

Maximum Archive Depth = 2

The problem is that these Office documents are more than 2 levels deep....

[rdns]

I just set this settings to prevent all those .zip file related viruses/Trojans. Everything is working except that one client (big company) who uses a old version of MS office and zips every single file with lotus notes before sending out as an email attachment.

- Not folder inside a folder and zipped
- Not a zip inside a zip.
- Its simply a .doc file and its zipped. Is that 2 levels deep?

[shawniverson]

Yes, a .doc is like a .zip in the eyes of MailScanner. It gets "unzipped" so to speak, to scan its contents.