[svlug] Integrated Linux Virus Scanners

John Conover conover at rahul.net
Tue Aug 19 10:36:17 PDT 2003


Yes:

    #
    # List of Microsoft file name extensions that are potentially
    # malicious executables:
    #
    ext='(a(d[ep]|r[cj]|s[dmxp]|u|vi)|b(a[st]|mp|z[0-9]?)|c(an|hm|il|lass|md|om|(p[lp]|\+\+)?|rt|sv)|\
	  d(at|e?b|ll|o[ct])|e(ml|ps?|xe)|g(if|z?)|h(lp|t(a|ml?)|(pp|\+\+)?)|i(n[cfis]|sp)|\
	  j(ava|pe?g|se?|sp|tmpl)|kbf|l(ha|nk|og|yx)|m(d[abew]|p(e?g|[32])|s[cipt])|ocx|\
	  p(a(tch|s)|c[dsx]|df|h(p[0-9]?|tml?)|if|[lm?]|n[gm]|[po][st]|p?s)|r(a[mr]|eg|pm|tf)|\
	  s(c[rt]|h([bs]|tml?)|lp|ql|ys)?|t(ar|ex|gz|iff?|xt)|u(pd|rl|x)|vb[es]?|\
	  w(av|m[szd]|p(d|[0-9]?)|s[cfh])|x(al|[pb]m|l[stw])|z(ip|oo))'
    #
    # End of Line, (used in conditions with variable substitution):
    #
    eol='$'
    #
    # Double quote:
    #
    dq='"'
    #
    # Folded whitespace, (the characters between the block braces are a
    # tab character, hex 09, followed by a space character, hex 20):
    #
    ws='[	 ]*($[	 ]+)*'
    #
    # Check message headers:
    #
    :0
    * 2147483647^0 $ ^content-type:${ws}(multipart/(mixed|alternative|application|signed|encrypted))|(application/)
    * 2147483647^0 $ ^content-disposition:${ws}attachment;${ws}.*name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}${eol}
    * 2147483647^0 $ ^content-transfer-encoding:${ws}base64
    { MALICIOUS=true }
    #
    # If that fails, check message body:
    #
    :0 BE
    * -3^0
    * 4^0 $ name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}${eol}
    * 4^0 $ begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}${eol}
    * 4^0 $ ^content-type:${ws}application/
    * 4^0 $ ^content-transfer-encoding:${ws}base64
    * 2^0 [<](!doctype|[sp]?h(tml|ead)|title|body)
    * 2^0 [<](app|bgsound|div|embed|form|i?l(ayer|ink)|img|i?frame(set)?|meta|object|s(cript|tyle))
    * 2^0 =3d
    { MALICIOUS=true }

then:

    :0
    * MALICIOUS ?? true
    {
        # Whatever you want to do with it, however you want to handle it.
    }

	John

BTW, the "ws='[	 ]*($[	 ]+)*'" thing lets procmail's regex span lines.

Paul Cubbage writes:
> Walt Reed wrote:
> > On Tue, Aug 19, 2003 at 10:26:31AM -0400, William R. Lorenz said:
> > 
> >>I understand there's also the option of using procmail to strip out
> >>attachments on a global basis using an /etc/procmailrc or similar
> 
> Does that mean all attachments or can it be set up to filter by 
> type/source whatever?
> 
-- 

John Conover, conover at rahul.net, http://www.rahul.net/~conover




More information about the svlug mailing list