[Avcheck] DrWeb and 42.zip

Michael Tokarev mjt@tls.msk.ru
Wed, 13 Feb 2002 03:19:45 +0300 

Martin Jaggi wrote:
> 
> I've set up a box with avcheck 0.7 and DrWeb. Works fine so far.
> 
> During testing, I send a mail with 42.zip. DrWeb scans the mail, but then
> terminate with a Timeout Error after the 900 secs I set after the
> readme.drweb.
> The mail isn't bounced, it is still in the queue with:
> 
> temporary failure. Command output: avcheck: unexpected DrWeb return code
> 16896 (0x4200) )
> 
> How do you configure your system to handle a DoS with 42.zip ?

Handling DoSes isn't in fact trivial, even such simple ones like
this.  DrWeb has protection from such things, it should work.
Protection is simple in this case -- a timeout, max compression
ratio and max size (all those parameters can be tuned in drweb32.ini,
see doc/drweb-ini file).  Postfix also has timeout protection --
if a command isn't finished after some time, it will be terminated
and the mail will be bounced (xxx_command_time_limit parameter).
Option -t in avcheck, as it seems, is more like antiprotection --
if used, avcheck will exit with temp error instead of with bounce.
In fact, mentioning this option in readme.drweb isn't quite right,
because it is option useful mostly for avp (when avp crashes it 
may not answer at all, and in this case mail should be retried).

I've uploaded avcheck-0.8 yesterday (has no time to announce it).
It includes some changes especially for drweb in order to recognize
such mailbombs in a reasonable way (it handles TOO_COMPRESSED,
TOO_BIG and TIMEOUT DrWeb's responses by calling `infected' handler
with "message is too complex, probably mailbomb" message).

I'd suggest you to play with MaxCompressionRatio DrWeb's setting,
and use avcheck-0.8.  The most difficult part here is to figure
out what value to use for this parameter.  For 42.zip, 1000 should
be ok.  I use 500 (400 was not worked when there was a "happy new
year" "flood" with attached pictures -- sometimes folks uses .bmp
that compresses hugely).  Also, FileTimeout setting is of help here,
but again, it's very machine/load/etc-dependant: when you have 10
virusscanners running in parallel on a slow machine, mail may be
bounced without a real reason.

Regards,
 Michael.