Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

How can I have clamd reject items that can't be scanned?

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


pbradeen at gmail

Nov 8, 2011, 8:41 AM

Post #1 of 11 (920 views)
Permalink
How can I have clamd reject items that can't be scanned?

I see that there are ways to limit the level of archive that will be
scanned as well as the size of the entities to be scanned. Is there a way
for CLAMAV to then flag them as not allowed? Seem that if you can't scan
it, it should be rejected.


Best regards,
Pete Bradeen
(203) 247-2113
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


per at computer

Nov 9, 2011, 1:31 AM

Post #2 of 11 (896 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

Peter Bradeen wrote:

> I see that there are ways to limit the level of archive that will be
> scanned as well as the size of the entities to be scanned. Is there a
> way for CLAMAV to then flag them as not allowed? Seem that if you
> can't scan it, it should be rejected.

It's not about not being able to scan, it's about not wanting to scan.
Regardless, clamav doesn't reject or approve mails, that's for your MTA
to do.


/Per Jessen, Zürich

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


lists at sterenborg

Nov 9, 2011, 1:58 AM

Post #3 of 11 (898 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

On Wed, 2011-11-09 at 10:31 +0100, Per Jessen wrote:
> Peter Bradeen wrote:
>
> > I see that there are ways to limit the level of archive that will be
> > scanned as well as the size of the entities to be scanned. Is there a
> > way for CLAMAV to then flag them as not allowed? Seem that if you
> > can't scan it, it should be rejected.
>
> It's not about not being able to scan, it's about not wanting to scan.
> Regardless, clamav doesn't reject or approve mails, that's for your MTA
> to do.

If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to
do so I guess there's a task for ClamAV too..


--
Rob


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


linux at thehobsons

Nov 9, 2011, 4:41 AM

Post #4 of 11 (904 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

Per Jessen wrote:

>>> scan. Regardless, clamav doesn't reject or approve mails, that's for
>>> your MTA to do.
>>
>> If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to
>> do so I guess there's a task for ClamAV too..
>
>Well, I guess it depends on your point of view. Personally I see the
>MTA doing the rejection, possibly based on information from elsewhere
>(DNS, blacklists, clamav, wherever).

This is a rather pointless argument about semantics which doesn't
answer the original question. I'll rephrase it for the pedants :

>I see that there are ways to limit the level of archive that will be
>scanned as well as the size of the entities to be scanned. Is there
>a way for CLAMAV to then flag them as not allowed?

Oh, I see it works without modification. Is it possible for ClamAV to
flag that the message should be rejected if it can't be scanned -
seems a reasonable question to me. The OP didn't say "is it possible
for ClamAV to reject the message", they rather correctly asked about
"flagging it for rejection".

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


per at computer

Nov 9, 2011, 5:12 AM

Post #5 of 11 (902 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

Rob Sterenborg (lists) wrote:

> On Wed, 2011-11-09 at 10:31 +0100, Per Jessen wrote:
>> Peter Bradeen wrote:
>>
>> > I see that there are ways to limit the level of archive that will
>> > be
>> > scanned as well as the size of the entities to be scanned. Is
>> > there a
>> > way for CLAMAV to then flag them as not allowed? Seem that if you
>> > can't scan it, it should be rejected.
>>
>> It's not about not being able to scan, it's about not wanting to
>> scan. Regardless, clamav doesn't reject or approve mails, that's for
>> your MTA to do.
>
> If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to
> do so I guess there's a task for ClamAV too..

Well, I guess it depends on your point of view. Personally I see the
MTA doing the rejection, possibly based on information from elsewhere
(DNS, blacklists, clamav, wherever).


/Per Jessen, Zürich

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


per at computer

Nov 9, 2011, 9:22 AM

Post #6 of 11 (904 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

Simon Hobson wrote:

> Per Jessen wrote:
>
>> >> It's not about not being able to scan, it's about not wanting to
>>>> scan. Regardless, clamav doesn't reject or approve mails, that's
>>>> for your MTA to do.
>>>
>>> If you use ClamAV as milter, it's up to ClamAV to tell the MTA what
>>> to do so I guess there's a task for ClamAV too..
>>
>>Well, I guess it depends on your point of view. Personally I see the
>>MTA doing the rejection, possibly based on information from elsewhere
>>(DNS, blacklists, clamav, wherever).
>
> This is a rather pointless argument about semantics which doesn't
> answer the original question. I'll rephrase it for the pedants :
>
>>I see that there are ways to limit the level of archive that will be
>>scanned as well as the size of the entities to be scanned. Is there
>>a way for CLAMAV to then flag them as not allowed?
>
> Oh, I see it works without modification. Is it possible for ClamAV to
> flag that the message should be rejected if it can't be scanned -
> seems a reasonable question to me.

The OP started by saying "there are ways to limit the level of archive
that will be scanned as well as the size of the entities to be
scanned", which are performance optimizing options one can use if
desired. To which I commented that it's not about a message that can't
be scanned, but whether your limits allow it to be scanned. Remove the
limits, and everything is scanned (presumbly only limited by hardware
resources).

Nonetheless, it is actually an interesting question - should/does clamav
return "not-scanned-due-to-user-restriction" in such cases?


/Per Jessen, Zürich

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


acabng at digitalfuture

Nov 9, 2011, 10:19 AM

Post #7 of 11 (910 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

On 11/08/11 17:41, Peter Bradeen wrote:
> I see that there are ways to limit the level of archive that will be
> scanned as well as the size of the entities to be scanned. Is there a way
> for CLAMAV to then flag them as not allowed? Seem that if you can't scan
> it, it should be rejected.

Hi Peter,

Long ago there were as set of options going under the name of
ArchiveBlockMaxXXX. They were really intended to keep the engine safe
from loops and abuse, but in the end they did more or less what you ask.

The options were dropped because they gave us a lot of headaches with
complaints and FP reports (you can still google "oversized.zip" and
enjoy the flames).
Before dropping the said options a poll was conducted on this very board
and the general consensus was that the option was pointless and to be
dropped.

Long story short, we understand exactly the scenario you describe and
the question you raise. However it's very unlikely that suck a feature
is going to be added in the future.

Cheers,
--aCaB
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


linux at thehobsons

Nov 9, 2011, 12:42 PM

Post #8 of 11 (895 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

Per Jessen wrote:

>The OP started by saying "there are ways to limit the level of archive
>that will be scanned as well as the size of the entities to be
>scanned", which are performance optimizing options one can use if
>desired. To which I commented that it's not about a message that can't
>be scanned, but whether your limits allow it to be scanned. Remove the
>limits, and everything is scanned (presumbly only limited by hardware
>resources).

Well of course there have to be limits somewhere, and I recall one
issue is malevalent attachments designed specifically to crash
extractors.
A second issue I recall from the past is the sending of password
protected archives - the scanner is unable to check it, but of course
a user taken in by the message may well open it. So that's a separate
consideration - whether to allow password protected archives or to
reject them.

>Nonetheless, it is actually an interesting question - should/does clamav
>return "not-scanned-due-to-user-restriction" in such cases?

I guess that's the key question, and is it possible to set the
reported result to "reject" in that case ?
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Nov 9, 2011, 1:44 PM

Post #9 of 11 (896 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

On 11/09/2011 10:42 PM, Simon Hobson wrote:
> Per Jessen wrote:
>
>> The OP started by saying "there are ways to limit the level of archive
>> that will be scanned as well as the size of the entities to be
>> scanned", which are performance optimizing options one can use if
>> desired. To which I commented that it's not about a message that can't
>> be scanned, but whether your limits allow it to be scanned. Remove the
>> limits, and everything is scanned (presumbly only limited by hardware
>> resources).
>
> Well of course there have to be limits somewhere, and I recall one issue is malevalent attachments designed specifically to crash extractors.
> A second issue I recall from the past is the sending of password protected archives - the scanner is unable to check it, but of course a user taken in by the message may well open it. So that's a
> separate consideration - whether to allow password protected archives or to reject them.

There is BlockEncrypted for that purpose.


Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jimlinux at commspeed

Nov 10, 2011, 11:02 AM

Post #10 of 11 (898 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

On 11/09/2011 02:44 PM, Trk Edwin wrote:
[snip]
>>
>> Well of course there have to be limits somewhere, and I recall one issue is malevalent attachments designed specifically to crash extractors.
>> A second issue I recall from the past is the sending of password protected archives - the scanner is unable to check it, but of course a user taken in by the message may well open it. So that's a
>> separate consideration - whether to allow password protected archives or to reject them.
> There is BlockEncrypted for that purpose.
>
>
> Best regards,
> --Edwin
Now the question is, is there a BlockUnscanned (due to whatever reason)
or should this be a feature request submitted by the OP?

--
Jim Preston


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Nov 10, 2011, 11:16 AM

Post #11 of 11 (902 views)
Permalink
Re: How can I have clamd reject items that can't be scanned? [In reply to]

On 11/10/2011 09:02 PM, Jim Preston wrote:
> On 11/09/2011 02:44 PM, Trk Edwin wrote:
> [snip]
>>>
>>> Well of course there have to be limits somewhere, and I recall one issue is malevalent attachments designed specifically to crash extractors.
>>> A second issue I recall from the past is the sending of password protected archives - the scanner is unable to check it, but of course a user taken in by the message may well open it. So that's a
>>> separate consideration - whether to allow password protected archives or to reject them.
>> There is BlockEncrypted for that purpose.
>>
>>
>> Best regards,
>> --Edwin
> Now the question is, is there a BlockUnscanned (due to whatever reason) or should this be a feature request submitted by the OP?
>

There isn't. There used to be the Oversized.Zip/Rar detections, but see aCaB's reply.

I don't think we want Oversized.* detections back in the official release at this time (too many FP reports),
but give this patch a try (untested):

diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index 93cdc71..882d528 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -2122,6 +2122,11 @@ static void emax_reached(cli_ctx *ctx) {
}


+static int limit(cli_ctx *ctx, const char *name)
+{
+ *ctx->virname = name;
+ return cli_found_possibly_unwanted(ctx);
+}

static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)
{
@@ -2582,9 +2587,13 @@ static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)

switch(ret) {
case CL_EFORMAT:
+ ret_from_magicscan(limit(ctx, "Unscanned.Badformat"));
case CL_EMAXREC:
+ ret_from_magicscan(limit(ctx, "Unscanned.Oversized.MaxRec"));
case CL_EMAXSIZE:
+ ret_from_magicscan(limit(ctx, "Unscanned.Oversized.MaxSize"));
case CL_EMAXFILES:
+ ret_from_magicscan(limit(ctx, "Unscanned.Oversized.MaxFiles"));
cli_dbgmsg("Descriptor[%d]: %s\n", desc, cl_strerror(ret));
case CL_CLEAN:
perf_start(ctx, PERFT_CACHE);

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.