[Esd-l] A couple of questions and an unchecked extension

John D. Hardin jhardin at impsec.org
Tue Sep 3 20:32:01 PDT 2002

On Tue, 3 Sep 2002, Juan Maria Gil wrote:

> But before asking them, altough I supose that everyone knows it,
> beware of files with ".cpl" extensions, I've had to add this
> extension to the mangle list to prevent the spread of the Duni
> worm on my system.

That's in the default mangle list for the next release.

> I've found that macro check cannot effectively poison a message
> whose attachement isn't mangled as Office documents that can be
> checked for macro viruses without being on the mangle list. After
> reading the archives of this list I've understood that the only
> way of preventing this message to reach its recipient is by
> activating the quarentine option. So far I'm doing this but I'd
> like to know if there is any alternative.

That is correct. At the moment there is no alternative. I hope to make
this more flexible in the rewrite, but as it stands the message has
already been processed past the attachment when macro scanning
completes, so there'd be no way to strip the attachment.

> I've noticed that when a message is stripped of its attachment the
> sender isn't notified as with poisoning. Is this the normal
> behaviour?. Can it be changed?. I've read on the archives a few
> cuestions about this subject but no one answer.

Not as a separate message, no, but within the message a text body part
is added saying the attachment was stripped.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   106 days until The Two Towers

More information about the esd-l mailing list