Attachment in Archive - ORF Forums

Attachment in Archive RSS Back to forum

1

(How) is it possible to filter unwanted attachments (like MP3....) in ZIP/RAR Archive?

by Uwe Kortkamp 8 years ago
2

The attachment filtering of ORF does not support scanning inside attached archives, but if you have a command line tool (e.g. anti-virus product) which supports scanning inside archives, you can achieve this by creating an External Agent:

Information on External Agents: http://blog.vamsoft.com/?p=113
Creating External Agent definitions: http://blog.vamsoft.com/?p=115
Testing: http://blog.vamsoft.com/?p=118

by Krisztian Fekete (ORF Team) 8 years ago
3

Hello and thanks for your reply. That was not the answer i would like to here :-)

Correct me... but the external agent obtains the whole message (incl. mime-part) as parameter?
So its necessary to:

1. decode the mail to get the attachment(s)
2. extract zip attachment
3. look at each individual file to find out if it is an unwanted attachment!?

Is it possible to only get the attachments for the external agents?

My AV-Scanner (NOD32) can scan within Archives via /ARCH+ option...
BUT - i don't know if it will find a virus in a base64 encoded .EML - File?

and... how could that help me to block unwanted attachment in (zip/rar) archives?

Thanks in advance

by Uwe Kortkamp 8 years ago
4

@Uwe Kortkamp: The External Agent test is performed on a temporary copy of the email (.eml file) which ORF creates in the path you specified under Configuration / Filtering - On Arrival / External Agents. Once the scan is finished and the agent has the result (i.e., the exit code returned by the command line executable), the file is deleted automatically.

Unfortunately, it is not possible to extract the attached files individually from the incoming emails, but usually that is not a problem, since the command line scanners (like NOD32) is capable of scanning inside archives (so it should find the virus (or any other files) in the .eml file, even if it is in the attached archive).

I assume it is possible to configure the command line scanner to return a hit on certain file types (or even better: MIME types) as well, so you could achieve your original goal (detect mp3 files inside archives attached to incoming emails). Unfortunately, I am not familiar with the capabilities of the NOD32 command line scanner, so I suggest consulting the documentation regarding this :)

by Krisztian Fekete 8 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2