[Esd-l] How to mangle contents of a .zip file?

John D. Hardin jhardin at impsec.org
Tue Mar 9 22:14:18 PST 2004

On Wed, 10 Mar 2004, Brian Hampton wrote:

> Yeah, I began writing such policies in procmail and then realized
> that it was going to be difficult to maintain the list of valid
> people/domains that would be allowed to exchange zipped executables.

Well, for internal use that should be a set it and forget it
configuration. Does your list of external contacts vary that much?

One way to simplify it might be to put a "key phrase" into the subject
that would let certain ZIPs be accepted.

> The reason this whole issue came up is because the sanitizer has
> worked so well that people aren't used to getting any kind of
> dangerous attachment (excellent work, btw!).  But the latest batch
> of .zip viruses that look like they come from me (the admin)
> fooled a couple folks.

Oops. Sorry. Mea culpa.


> I may have to put in something like ClamAV in addition to the
> sanitizer.

I've always recommended the sanitizer be part of a multilayer defense.
It is not a replacement for antivirus software on individual Windows
systems. I hope that any leakers got caught...

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   25 days until the Slovakian Presidential Election

More information about the esd-l mailing list