So, now that the filter is working it’s blocking files we don’t want to block. Haha.
According to etc/amavisd.conf…
$banned_namepath_re = new_RE(
qr/(?mix-s:(?#CLASS Exec) ^ (.*\t)? (T=|N=([^\.]+\.)+)(exe|exe-ms|vb[es]?|ws[cfh]|ms[cipt]|pif|scr|sct|bat|cmd|com|cpl|dll|jse?|inf) (\t.*)? $)/,
qr/(?mix-s:(?#CLASS Arch) ^ (.*\t)? (T=|N=([^\.]+\.)+)(zip|7z|rar|tar|gz|cab|bz2?) (\t.*)? $)/
);
According to the log a docx is blocked…
Sep 10 09:58:09 server9b amavis[6586]: (06586-09) Blocked BANNED (CLASS Arch:.txt,_rels/.rels) {RejectedInbound,Quarantined}, [209.85.220.46]:34181 [2600:1011:b11a:4632:44bf:81ac:6fb0:dc42] <email@gmail.com> -> <service@email.com>, Message-ID: <A05A6280-232B-43FD-A609-3E2252D8BFEC@gmail.com>, mail_id: v0xe2apWnTsE, Hits: -, size: 645077, 1028 ms
So why is archive blocking docx if that extension isn’t explicitly stated?
zamboni
(Stefano)
September 10, 2015, 5:28pm
2
because a docx is just a zip file with a changed estension…
try to rename in filename.zip and to open it with winzip …
Now, I turned off Archive, turned on Custom and added “zip,rar,tar,gz,cab,xlsx” but, as you say, it still blocks the docx because it sees it as a zip.
and according to the log…
Sep 10 10:29:28 server9b amavis[7936]: (07936-01) Blocked BANNED (CUSTOM:.txt,_rels/.rels) {RejectedInbound,Quarantined}, [209.85.220.41]:36199 [2600:1011:b11a:4632:44bf:81ac:6fb0:dc42] email@gmail.com -> service@email.com , Message-ID: FCE169AA-73CC-497B-B253-7BF553C58FEC@gmail.com , mail_id: Nb6aqfkegzID, Hits: -, size: 645418, 13036 ms
So this leads me to the business question of how can we blocks zip files without blocking docx?
Like so?
[ qr'(\.docx)$' => 0 ],
Which template would this be added to so the config survives reboot?
Would I add it here, like so?
[root@server9b amavisd.conf]# cat 70banned_files
#
# 70banned_files
#
$banned_filename_re = undef;
$banned_namepath_re = new_RE(
[ qr'(\.docx)$' => 0 ],
{
join(",\n ", map {Dumper($_)} @banned_namepath_re);
}
);
#
# Prepend custom file(1) type match for CDF MS-Office documents: will
# be evaluated before the default map that falls back into "dat" type.
#
unshift @map_full_type_to_short_type_maps, \new_RE(
[qr/^(Composite\ Document\ File|CDF)\ V2\ Document.*Microsoft\ Office/ => 'doc'],
[qr/^OpenDocument/ => ['odc', 'odt', 'odp', 'odb', 'odg', 'odf']],
);
giacomo
(Giacomo Sanchietti)
September 11, 2015, 7:06am
6
Maybe @davidep knows a how to handle the exception.
By the way, I know we already faced the problem and there is no a real work around.
As Stefano said, docx are zip files!
1 Like
davidep
(Davide Principi)
September 11, 2015, 7:44am
7
I agree with @giacomo . Indeed there can be anything good or bad inside an archive: it’s just like a container, an envelope.
Perhaps a good reason to have an “Archive” class shown on the UI is enabling it as a temporary workaround for a new malware epidemy, waiting for AV updates or other countermeasures.
Anyway it would be valuable if @fasttech finds the right regular espression to handle the .docx exception! I think he’s on the right track!
1 Like
zamboni
(Stefano)
September 11, 2015, 10:38am
8
I can’t help you with regexp… but I can remember you to create a custom fragment in /templates-custom tree, otherwise an update could delete your edit
zamboni
(Stefano)
September 11, 2015, 10:41am
9
So far I’ve tried several iterations of syntax as well as an override file without success.
Nas
(Artem Fedai)
September 13, 2015, 6:02pm
11
Add this to $banned_namepath_re
# # allow true office docs
[ qr'(?# SPECIAL ALLOW OFFICE - MAGIC NAMES)
(.*\t)? T=(doc|mdb)
\t(.*\t)? N=[^\t\n]* \. (doc|rtf|msg|mdb|ppt|mmp|prj|xls)
(\t.*)? $'xmi => 0 ],
Nas
(Artem Fedai)
September 13, 2015, 9:54pm
12
@fasttech test my proposition pls, then i’ll try to implement
Nas
(Artem Fedai)
September 14, 2015, 10:04pm
13
so i think that is is preferable to use :
$banned_filename_re = new_RE(
[ qr’..(docx)$'i => 0 ],
);
I have tested it yet
Today I looked into this again.
I changed the banned part of /etc/e-smith/templates/etc/amavisd.conf/70banned_files
from;
$banned_filename_re = undef;
to
$banned_filename_re = new_RE( [qr'(\.docx)$' => 0], );
…now it allows docx through and still bans xlsx and zip.
…but… I renamed an exe file’s ext from exe to docx and amavis lets that through to.
I renamed an exe file’s ext from exe to doc and that is banned as an exe so while it’s letting docx through, it’ll let anything with a docx ext through.
The point here is to exclude docx from being banned as an archive but still scanning the file so that an exe renamed as a docx would still be banned because it’s really an exe, meaning docx should still be scanned under all rules except the archive ban rule.
Boy oh boy.