[Esd-l] ZIP scanning, take two (repost)

Mike Dini mdini at dinigroup.com
Mon Feb 23 10:41:09 PST 2004

Have we updates our sanitizer in the last few months?  Should we?

At 10:26 AM 2/23/2004, John D. Hardin wrote:
>On Mon, 23 Feb 2004, Mark Wendt (Contractor) wrote:
> > Okay, maybe I misundertook sumthin' here.  Is the Sanitizer going
> > to actually unzip the file, read the contents, determine whether
> > or not it's one of the bad boys, and if so, quarantine (strip) the
> > zip?
>The sanitizer will look for the ZIP archive's filename in the standard
>poison and strip lists (the same as for DOC and XLS and other Office
>files) and will quarantine the message or strip the zip attachment
>based on the standard rules. In other words, the sanitizer now
>recognizes the extension ".ZIP".
>The sanitizer will then scan the first-level filenames within the ZIP
>(e.g. zipping a zip will still bypass the scan) and quarantine *the
>message* based on whether any filenames it finds match the filespecs
>in your ZIPPED_FILES policy list.
> > IF so, thatn turn it on by default.  If not, and we're going to
> > base the quarantine on the type of extension, I would rather see
> > it turned off as the default.
>The default is what will be used if you do not provide an explicit
>policy for the content of ZIP archive attachments. Providing no
>default will duplicate the way things are presently (e.g. zipped
>*anything* will bypass the sanitizer). Providing a default will force
>you to override it with an explicit local policy if you do not want to
>automatically quarantine (or in your case, discard) a lot of ZIPs.
>I take it you vote "no default ZIP policy"?
> > We're extremely happy with the Sanitizer John, and look forward
> > to the new releases.
>Thanks! "nrl.navy.mil" - *that* is gratifying! :)
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
>                                 -- Peter da Silva in a.s.r
>    40 days until the Slovakian Presidential Election
>Esd-l mailing list
>Esd-l at spconnect.com

More information about the esd-l mailing list