Blocking certain file extensions inside arcive files to stop malware.

ozgurerdogan

Verified User
Joined
Apr 20, 2008
Messages
352
Unfortunately clamd does not detect js files inside zip files and those attachemts may be hard to filter. So I want to find easier solution to block certain files but so far it does not seems to be working. I see many thread says it works well. Can you please take a look:

in exim.conf, I added below right after "check_message:"
Code:
# check attachment
deny
    message = This message contains an attachment of a type which we do not accept (.$found_extension)
    demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url

# check attachment inside zip file
deny
    message   = Attachment has unsupported file format inside zip file
    log_message = File extension rejected.
    demime    = zip
    condition = ${run{/bin/sh -c '/usr/local/sbin/exim_check_zip.sh $message_exim_id'}{0}{1}}

and in exim_check_zip.sh:
Code:
#/bin/bash
cd "/var/spool/exim/scan/${1}"
for i in $( ls | egrep -i '[.]zip' )
do
if [ $( unzip -l "${i}" | \
  tail -n +4 |head -n -2 | \
  egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip|js)$' | \
  wc -l ) -gt 0 ]
then
 exit 1
fi
done
exit 0
and
Code:
 chmod +x /usr/local/sbin/exim_check_zip.sh
and restared exim and send a zip file contatining a .js file.

But it does not seem to be blocking. What am I missing? I suspect condition part is not running but not sure how to debug / correct it.
 
Last edited:
Hey ozgurerdogan.

tests done.
works great for me... Thank you very much for this cool script!

mario
 
You might only allow zip files and do above check for zip files only. And can tell client to send only in zip archive which is widely common.
Here is extensions you can block:
Code:
7z:s7z:ace:afa:alz:apk:arc:arj:b1:ba:bh:cab:car:cfs:cpt:dar:dd:dmg:ear:gca:ha:hki:ice:jar:kgb:lzh:lha:lzx:pak:partimg:paq6:paq7:paq8:pea:pim:pit:qda:rk:sda:sea:sen:sfx:sit:sitx:sqx:tar.gz:tgz:tbz2:tlz:uc:uc0:uc2:ucn:ur2:ue2:uca:uha:war:wim:xar:xp3:yz1:zoo:zpaq:zz:rar
 
Helppp pls!

Path was incorrect, not exim4 must be exim.
I dont understand what do you mean, IM Desperate! virus continues to flow, I have already implemented this and added ZIP blocking generally but virus continues to flow, please help me,

regards
 
I dont understand what do you mean, IM Desperate! virus continues to flow, I have already implemented this and added ZIP blocking generally but virus continues to flow, please help me,

regards

Check if AV is working...
Take a look in the mail headers... do you see the text "X-Antivirus-Scanner:" ?
 
I tried this solution, but it doesn't work at all. How can I check if it works? As a test I sent zip within a zip and it just passes.
I add also wsf extionsion because they're also sent a lot.
 
Last edited:
Just make sure to chattr the file immutable otherwise it might be overwritten by custombuild.
 
Hi,

Is it possible to do the same thing with rar? I've tried to change this script to rar, but I can't make it work.
 
What I did is:

I've added another deny:

Code:
  deny
    message   = Attachment has unsupported file format inside rar file
    log_message = RAR - File extension rejected.
    demime = rar
    condition = ${run{/bin/sh -c '/usr/local/sbin/check_rar.sh $message_exim_id'}{0}{1}}

and in the check_rar.sh, I've got:

Code:
#/bin/bash
cd "/var/spool/exim4/scan/${1}"
for i in $( ls | egrep -i '[.]rar' )
do
if [ $( rar vt "${i}" | \
  egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|js)$' | \
  wc -l ) -gt 0 ]
then
	exit 1
fi
done
exit 0
 
I would also like to have rar checked but I don't like to adjust my exim.conf file, because I want to have it updated by custombuild when needed.

However, in the ESF exim_check_attachment.sh I find this:
Code:
#/bin/sh

if [ "${1}" != "zip" ]; then
        echo "$0: we can only scan zip files";
        exit 0
fi

UNZIP=/usr/bin/unzip
etc.

Can't this be adjusted a little bit so also .rar is checked?
In that case we don't need to adjust exim.conf but only change (and chattr) this file.
 
Is anyone able to help?

I really need to scan rar files, any solution will do for me even change in exim.conf - I can always manually update it after directadmin update.
 
You provided your solution. What is wrong with it?

It's not working - nothing is happening :( ZIP script works perfectly, RAR dosen't it looks like EXIM do not recognize rar format. In my opinion rar script is not even firing
 
Back
Top