Page 1 of 1

Mailscan Rules help

Posted: 10 Oct 2016, 22:08
by ptwsdev
Hi,

We have a false positive:

The virus detector said this about the message:

Report: Report: MailScanner: Attempt to hide real filename extension (tmpA99C.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA9AD.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA999.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA996.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA99B.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA997.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA998.tmp.png)

Report: MailScanner: Attempt to hide real filename extension (tmpA99A.tmp.png)


Config file: (we reloaded Mailscanner each time we changed rules)

# cat /usr/mailscanner/etc/filename.rules.conf
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/rename/rename to replacement-text/email-addresses,
# then regular expression,
# then log text,
# then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.

# If a rule is a "rename" rule, then the attachment filename will be renamed
# according to the "Default Rename Pattern" setting in MailScanner.conf.
# If a rule is a "rename" rule and the "to replacement-text" is supplied, then
# the text matched by the regular expression in the 2nd field of the line
# will be replaced with the "replacement-text" string.
# For example, the rule
# rename to .ppt \.pps$ Renamed .pps to .ppt Renamed .pps to .ppt
# will find all filenames ending in ".pps" and rename them so they end in
# ".ppt" instead.

# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages

# JKF 10/08/2007 Adobe Acrobat nastiness
rename \.fdf$ Dangerous Adobe Acrobat data-file Opening this file can cause auto-loading of any file from the internet

# JKF 04/01/2005 More Microsoft security vulnerabilities
deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows
deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows
deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows
#deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows

# These 4 are well known viruses.
deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
deny happy99\.exe$ "Happy" virus "Happy" virus
deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus

# JKF 08/07/2005 Several virus scanners may miss this one
deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses

# These are in the archives which are Microsoft Office 2007 files (e.g. docx)
allow \.xml\d*\.rel$ - -
allow \.x\d+\.rel$ - -
allow \.rtf$ - -

# These are known to be mostly harmless.
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
allow \.txt$ - -
allow \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
# PGP and GPG
allow \.gpg$ - -
allow \.pgp$ - -
allow \.sig$ - -
allow \.asc$ - -
# Macintosh archives
allow \.hqx$ - -
allow \.sit.bin$ - -
allow \.sea$ - -
# Backup files
allow \.bak$ - -
# And TeX and LaTeX are harmless AFAIK
allow \.tex$ - -

# These are known to be dangerous in almost all cases.
deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
# See http://office.microsoft.com/2000/articl ... secFAQ.htm for more info.
deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email
deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
# Removed ".mat" from next line as widely used by Matlab
deny \.ma[dfgmqrsvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email

# These are new dangerous attachment types according to Microsoft in
# http://support.microsoft.com/?kbid=883260
deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
#deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260


# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email

# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
deny \.bat$ Possible malicious batch file script Batch files are often malicious
deny \.cmd$ Possible malicious batch file script Batch files are often malicious
deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora

# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type

# Deny filenames with lots of contiguous white space in them.
deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it

# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$ - -

# Allow days of the week and months in doc names, e.g. blah.wed.doc
allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -
allow \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ - -

# Teste ficheiros tmp
allow \.tmp\.pdf
allow \.tmp\.png

# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension:

Re: Mailscan Rules help

Posted: 14 Oct 2016, 00:50
by ptwsdev
Can you please help? The rules we added are at the bottom, but it keeps blocking the files:

# Teste ficheiros tmp
allow \.tmp\.pdf
allow \.tmp\.png