[Esd-l] ZIP scanning, take two (repost)

John D. Hardin jhardin at impsec.org
Mon Feb 23 10:26:10 PST 2004

On Mon, 23 Feb 2004, Mark Wendt (Contractor) wrote:

> Okay, maybe I misundertook sumthin' here.  Is the Sanitizer going
> to actually unzip the file, read the contents, determine whether
> or not it's one of the bad boys, and if so, quarantine (strip) the
> zip?

The sanitizer will look for the ZIP archive's filename in the standard
poison and strip lists (the same as for DOC and XLS and other Office
files) and will quarantine the message or strip the zip attachment
based on the standard rules. In other words, the sanitizer now
recognizes the extension ".ZIP".

The sanitizer will then scan the first-level filenames within the ZIP
(e.g. zipping a zip will still bypass the scan) and quarantine *the
message* based on whether any filenames it finds match the filespecs
in your ZIPPED_FILES policy list.

> IF so, thatn turn it on by default.  If not, and we're going to
> base the quarantine on the type of extension, I would rather see
> it turned off as the default.

The default is what will be used if you do not provide an explicit
policy for the content of ZIP archive attachments. Providing no
default will duplicate the way things are presently (e.g. zipped
*anything* will bypass the sanitizer). Providing a default will force
you to override it with an explicit local policy if you do not want to
automatically quarantine (or in your case, discard) a lot of ZIPs.

I take it you vote "no default ZIP policy"?

> We're extremely happy with the Sanitizer John, and look forward 
> to the new releases.

Thanks! "nrl.navy.mil" - *that* is gratifying! :)

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   40 days until the Slovakian Presidential Election

More information about the esd-l mailing list