store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Jul 05, 2020 2:27 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Amavisd not blocking sanesecurity hits
Unread postPosted: Fri Sep 02, 2016 2:41 pm 
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
My testing to destruction of amavisd continues, and today I found something interesting which I thought I'd share.

I'd noticed that messages with certain attachments were being passed as CLEAN, even though clamav was detecting something bad in them via the sanesecurity rules (e.g. a document with an evil macro).

It turns out that by default, certain types of badness is not blocked outright by amavisd-new, and is instead passed on to be dealt with as spam by spamassassin.

This behaviour is controlled by the amavisd @virus_name_to_spam_score_maps setting. (there is also a policy_bank version of this)

I'm not sure of the default setting because it appears to be hard-coded rather than being set in amavisd.conf, and the default has been updated every now and then.

But the default includes pretty much anything detected by the sanesecurity rules that are included in the Atomic clamav rules and of course the normal sanesecurity clamav rules themselves.

The end result is that with the default installation of amavisd-new, spamassassin and clamav, attachments containing booby-trapped documents and what have you get passed as clean and end up in people's mailboxes.

This is not what I want, and may not be what you want either. I'm not sure I've ever seen a sanesecurity false positive, so I want to block outright.

The way you are supposed to deal with it is, I presume, to set the resulting SA score to something significant, or to do something more sophisticated in terms of SA rules maybe.

But you can also use a very unsophisticated approach, which is to just add the following to amavisd.conf

@virus_name_to_spam_score_maps = ();

This overrides the default mapping and causes any message that triggers any clamav rule to be blocked outright.

I dare say there's more to this than meets the eye, and this complete override may be undesirable in some way, presumably relating to potential false positives.

If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group