During disassembly, the email message or Web data is broken down recursively, into its component parts. These components may represent an archive, an encoding or a compression, in which case MIMEsweeper further processes the component. For example, if the component represents an archive, such as a TAR file, MIMEsweeper will extract and process each file until it is recognised as a raw data type. Examples of raw data are text files, bitmaps, binary files and application executables.
MIMEsweeper uses container handlers to perform recursive disassembly. Container handlers are able to recognise most common data types that may appear in the message or Web data and perform the necessary disassembly of each.
Recursive disassembly ensures that all the data is validated, even if the information is compressed, encoded, nested, or incorporates a variety of these techniques.
For example, a message containing a PKZIP attachment is in fact files contained within a PKZIP container which itself is contained within a message container. MIMEsweeper's recursive disassembly will separate the PKZIP container from the message container and then the files from the PKZIP container. The files themselves can also be containers which will be recursively extracted for validation. For a complete list of the file formats that MIMEsweeper supports see page 7-70.
Details on the
container handlers MIMEsweeper use are found in the [Packaging]
configuration section. For MAILsweeper this is found in the
packaging configuration file, PACKAGE.CFG. For
WEBsweeper it is found in the http and ftp configuration files, HTTP.CFG
and FTP.CFG.
There is a directive
listed in the [Packaging]
section for each container
handler. The name of the directive is the container handler and
the value is the name of the dynamic link library (.DLL).
[Packaging] ZIPArchive=ZIPWNT TNEF=TNEWNT TAR=TARWNT CMP=CMPWNT GZIP=GZPWNT LZH=LZHWNT IMAGE=IMGWNT PDF=PDFWNT JAVA=JAVAWNT CDA=CDAWNT Cabinet=CABWNT MIM=MIME UUEncode=UUEWNT ARJ=ARJWNT EXE=CAHEXE BinHeX=BHXWNT PGP=PGPWNT PlainText=CAHCHSET Binary=CAHCHSET
![]() |
The order of analysis is strictly
controlled by the ordering of container handlers in the
[Packaging] section. DO NOT change
this ordering without assistance from technical support. |
![]() |
The name of
most of the container handlers can also be used as valid ContainerName
values. Exceptions are, MIME , IMGWNT
and CAHEXE . |
[Binary] ContainerClass=Binary CHARSET=\0-\255
[PlainText] ContainerClass=Text CHARSET=\032-\126 CHARSET=\012 CHARSET=A-Z CHARSET=a-z CHARSET=0-9 CHARSET=\032 CHARSET=\t CHARSET=\r CHARSET=\n CHARset=\163
The directives used to configure a container handler are dependent on its type.
Most of the container
handlers require no directives. It is recommended however that
one directive should always be included in the
configuration section. This is the ContainerClass
directive.
[GZIP] ContainerClass=Container
![]() |
See the next
page for details on the ContainerClass
directive. |
The value of the ContainerClass
directive is set by the container handlers during recursive
disassembly, according to the value specified in the
configuration section for each container handler.
For example (using the example on page 7-57):
[MIM]
ContainerClass=Container
[PDF] ContainerClass=InertDocument
[EXE]
ContainerClass=Executable
[Image] ContainerClass=Image
[PlainText] ContainerClass=Text
MIM
container handler are allocated a ContainerClass
value of Container
. PDF
container handler are allocated a ContainerClass
value of InertDocument
.
EXE
container handler are allocated a ContainerClass
value of Executable
. Image
container handler are allocated a ContainerClass
value of Image
. PlainText
container handler are allocated a ContainerClass
value of Text
. The ContainerClass
directive can be used with the PerformIf
and SkipIf
directives to control validation for particular data types. This
can be useful for limiting validation to only those data types
that are relevant to a particular validator instance.
For example, virus
scanning needs only to be performed on
executables, text, documents and binaries. All other data types,
such as images and containers, can be ignored. This can be
achieved by including several PerformIf
directives
in the configuration section for each validator instance that
performs virus scanning.
Each PerformIf
directive listed will check the value of the ContainerClass
attribute attached to the component being validated. Validation
is only performed if the component holds data of
the type specified by one of the ContainerClass
attribute expressions.
In VALIDATE.CFG: | ![]() |
In HTTP.CFG/FTP.CFG: | ![]() |
[Validation]
F-PROT=VALEXE
[F-PROT]
PerformIf=ContainerClass==Executable
PerformIf=ContainerClass==Document
PerformIf=ContainerClass==Text
PerformIf=ContainerClass==Binary
ExeName=C:\F-PROT\F-PROT.EXE
...
255=UNKNOWN
This example will only perform validation of executable, document, text or binary files.
![]() |
Alternatively, the ContainerClass
attribute can be used to control validation by skipping
validation of any component holding a certain type of data.
For example, virus
scanning need not be performed on containers or
images. This can be achieved by including SkipIf
directives in the configuration section for each validator
instance that performs virus scanning.
Each SkipIf
directive will check the value of the ContainerClass
attribute attached to the component being validated. Validation
is skipped if the component holds data of the
type specified by one of the ContainerClass
attribute expressions.
In VALIDATE.CFG: | ![]() |
In HTTP.CFG/FTP.CFG: | ![]() |
[Validation]
F-PROT=VALEXE
[F-PROT]
SkipIf=ContainerClass==Container
SkipIf=ContainerClass==Image
ExeName=C:\F-PROT\F_PROT.EXE
...
255=UNKNOWN
This example will skip
validation of containers and images.
![]() |
The MIME container handler reads the MIME headers of the encapsulated data to determine if any specific processing is required. For example, if the data is Base64 encoded.
[MIM] ContainerClass=Container
For WEBsweeper this section requires the RfcHeaders
directive: |
![]() |
[MIM]
ContainerClass=Container
RfcHeaders=HTTP
![]() |
By default,
the value of the RfcHeaders directive is SMTP . |
The CABWNT container handler recognises and decodes cabinet files.
[Cabinet] ContainerClass=Container
The UUEWNT container handler recognises and decodes UUEncoded data.
[UUEncode] ContainerClass=Container
The BHXWNT container handler recognises and decodes BinHex version 4 encoded data.
[BinHex] ContainerClass=Container
The ZIPWNT container handler recognises and disassembles ZIP and self-extracting ZIP files.
[ZIParchive] ContainerClass=Container
The TARWNT container handler recognises and decodes TAR archives.
[TAR] ContainerClass=Container
The CMPWNT container handler recognises and decodes files compressed by the Unix utility compress.
[CMP] ContainerClass=Container
The IMGWNT container handler recognises image files, including, GIF, TIFF, JPEG, BMP and AVI.
[IMAGE]
![]() |
Image files can subsequently be
blocked by using a configured VALATTR
instance to check the value of the ContainerName
attribute. See page
7-81 for more details on VALATTR . |
[CDA] ContainerClass=Document
The more common attributes that CDAWNT sets are:
1 Different word versions will set different strings. |
The GZPWNT container handler recognises and decodes GZIP files.
[GZIP] ContainerClass=Container
The PDFWNT container handler recognises and decodes PDF (portable document format) files.
[PDF] ContainerClass=InertDocument
[EXE] ContainerClass=Executable
The CAHEXE container
handler sets the ContainerName
attribute on a
component to the appropriate executable type, that is, DosExe,
Win31,
Win32Unknown, Win32Exe, Win32Dll.
![]() |
The ContainerName
attribute can also be used at a later stage, to
facilitate the blocking of messages that contain
executables. |
The configuration
section uses one directive, called CHARSET
. This
directive is used to build up the character set the container
handler will use.
The value of the directive can take one of the forms:
[PlainText] ContainerClass=Text CHARSET=\032-\126 CHARSET=\012 CHARSET=A-Z CHARSET=a-z CHARSET=0-9 CHARSET=\032 CHARSET=\t CHARSET=\r CHARSET=\n CHARset=\163
[Binary] ContainerClass=Binary CHARSET=\0-\255
The container handler configured in this example recognises binary files, that is, the character set for the complete byte value range.
The TNEWNT container handler recognises and decodes Transport Neutral Encapsulation Format data.
[TNEF] ContainerClass=Container
TNEF is used by Microsoft Exchange to encapsulate MAPI properties not supported by an intermediate mail system.
The ARJWNT container handler recognises and decodes ARJ archives.
[ARJ] ContainerClass=Container
The LZHWNT container handler recognises and decodes LZH and LHA archives.
[LZH] ContainerClass=Container
[PGP] ContainerClass=Container
![]() |
This container handler is capable of extracting items from ASCII signed files however, it is unable to extract data from binary or encrypted PGP files. |
[JAVA] ContainerClass=Container
A list of the file formats supported by
MIMEsweeper is given below. See the [Packaging]
section, on page 7-57,
for further details on how these formats are recognised.
MIMEsweeper identifies the following file formats:
MIMEsweeper identifies and disassembles the following file formats:
MIMEsweeper identifies the following file formats and extracts the streams within:
WEBsweeper identifies the following file formats and extracts the streams within: | ![]() |
![]() |
The anti-virus tools used with MIMEsweeper may support additional file formats to those listed. |
Copyright © 1998, Content Technologies Limited. All rights reserved.