[Top] [Prev] [Next] [Bottom]




Packaging


The packaging configuration details provide MIMEsweeper with the information it needs on how to perform recursive disassembly.

During disassembly, the email message or Web data is broken down recursively, into its component parts. These components may represent an archive, an encoding or a compression, in which case MIMEsweeper further processes the component. For example, if the component represents an archive, such as a TAR file, MIMEsweeper will extract and process each file until it is recognised as a raw data type. Examples of raw data are text files, bitmaps, binary files and application executables.

MIMEsweeper uses container handlers to perform recursive disassembly. Container handlers are able to recognise most common data types that may appear in the message or Web data and perform the necessary disassembly of each.

Recursive disassembly ensures that all the data is validated, even if the information is compressed, encoded, nested, or incorporates a variety of these techniques.

For example, a message containing a PKZIP attachment is in fact files contained within a PKZIP container which itself is contained within a message container. MIMEsweeper's recursive disassembly will separate the PKZIP container from the message container and then the files from the PKZIP container. The files themselves can also be containers which will be recursively extracted for validation. For a complete list of the file formats that MIMEsweeper supports see page 7-70.

The open architecture of MIMEsweeper allows new container handlers to be added as they become available. However, unpredictable results may be observed if the ordering of container handlers is incorrect. For this reason instructions are supplied with each one.

Details on the container handlers MIMEsweeper use are found in the [Packaging] configuration section. For MAILsweeper this is found in the packaging configuration file, PACKAGE.CFG. For WEBsweeper it is found in the http and ftp configuration files, HTTP.CFG and FTP.CFG.

[Packaging] section

The [Packaging] configuration section defines the container handlers MIMEsweeper uses. The container handlers are distributed as dynamic link libraries (.DLLs) conforming to a specific protocol.

There is a directive listed in the [Packaging] section for each container handler. The name of the directive is the container handler and the value is the name of the dynamic link library (.DLL).

For example:

[Packaging]
ZIPArchive=ZIPWNT
TNEF=TNEWNT
TAR=TARWNT
CMP=CMPWNT
GZIP=GZPWNT
LZH=LZHWNT
IMAGE=IMGWNT
PDF=PDFWNT
JAVA=JAVAWNT
CDA=CDAWNT
Cabinet=CABWNT
MIM=MIME
UUEncode=UUEWNT
ARJ=ARJWNT
EXE=CAHEXE
BinHeX=BHXWNT
PGP=PGPWNT
PlainText=CAHCHSET
Binary=CAHCHSET
The order of analysis is strictly controlled by the ordering of container handlers in the [Packaging] section. DO NOT change this ordering without assistance from technical support.

The name of most of the container handlers can also be used as valid ContainerName values. Exceptions are, MIME, IMGWNT and CAHEXE.

Each container handler must have its own configuration section in the same file as the [Packaging] section. The configuration section must have the same name as the container handler.

For example:

[Binary]
ContainerClass=Binary
CHARSET=\0-\255

Another example is:

[PlainText]
ContainerClass=Text
CHARSET=\032-\126
CHARSET=\012
CHARSET=A-Z
CHARSET=a-z
CHARSET=0-9
CHARSET=\032
CHARSET=\t
CHARSET=\r
CHARSET=\n
CHARset=\163

The directives used to configure a container handler are dependent on its type.

Most of the container handlers require no directives. It is recommended however that one directive should always be included in the configuration section. This is the ContainerClass directive.

For example:

[GZIP]
ContainerClass=Container
See the next page for details on the ContainerClass directive.

ContainerClass

The ContainerClass directive can be used to group together similar types of data. For example, container types, plain text, images, executables or binary.

The value of the ContainerClass directive is set by the container handlers during recursive disassembly, according to the value specified in the configuration section for each container handler.

For example (using the example on page 7-57):

[MIM]
ContainerClass=Container

[PDF]
ContainerClass=InertDocument

[EXE]
ContainerClass=Executable

[Image]
ContainerClass=Image

[PlainText]
ContainerClass=Text

This example indicates that:

The ContainerClass directive can be used with the PerformIf and SkipIf directives to control validation for particular data types. This can be useful for limiting validation to only those data types that are relevant to a particular validator instance.

For example, virus scanning needs only to be performed on executables, text, documents and binaries. All other data types, such as images and containers, can be ignored. This can be achieved by including several PerformIf directives in the configuration section for each validator instance that performs virus scanning.

Each PerformIf directive listed will check the value of the ContainerClass attribute attached to the component being validated. Validation is only performed if the component holds data of the type specified by one of the ContainerClass attribute expressions.

For example:

In VALIDATE.CFG: In HTTP.CFG/FTP.CFG:

[Validation]
F-PROT=VALEXE

[F-PROT]
PerformIf=ContainerClass==Executable
PerformIf=ContainerClass==Document
PerformIf=ContainerClass==Text
PerformIf=ContainerClass==Binary
ExeName=C:\F-PROT\F-PROT.EXE
...
255=UNKNOWN

This example will only perform validation of executable, document, text or binary files.

For more details on PerformIf see page 7-107.

Alternatively, the ContainerClass attribute can be used to control validation by skipping validation of any component holding a certain type of data.

For example, virus scanning need not be performed on containers or images. This can be achieved by including SkipIf directives in the configuration section for each validator instance that performs virus scanning.

Each SkipIf directive will check the value of the ContainerClass attribute attached to the component being validated. Validation is skipped if the component holds data of the type specified by one of the ContainerClass attribute expressions.

For example:

In VALIDATE.CFG: In HTTP.CFG/FTP.CFG:

[Validation]
F-PROT=VALEXE

[F-PROT]
SkipIf=ContainerClass==Container
SkipIf=ContainerClass==Image
ExeName=C:\F-PROT\F_PROT.EXE
...
255=UNKNOWN

This example will skip validation of containers and images.

For more details on SkipIf see page 7-105.

MIME

The MIME container handler recognises encapsulations provided by the Multipurpose Internet Mail Extensions standard (RFC-1521). It was originally used in SMTP mail systems. However it has been extended for use in HTTP to encapsulate data.

The MIME container handler reads the MIME headers of the encapsulated data to determine if any specific processing is required. For example, if the data is Base64 encoded.

For example:

[MIM]
ContainerClass=Container
For WEBsweeper this section requires the RfcHeaders directive:

[MIM]
ContainerClass=Container
RfcHeaders=HTTP 
By default, the value of the RfcHeaders directive is SMTP.

CABWNT

The CABWNT container handler recognises and decodes cabinet files.

For example:

[Cabinet]
ContainerClass=Container

UUEWNT

The UUEWNT container handler recognises and decodes UUEncoded data.

For example:

[UUEncode] 
ContainerClass=Container

BHXWNT

The BHXWNT container handler recognises and decodes BinHex version 4 encoded data.

For example:

[BinHex]
ContainerClass=Container

ZIPWNT

The ZIPWNT container handler recognises and disassembles ZIP and self-extracting ZIP files.

For example:

[ZIParchive]
ContainerClass=Container

TARWNT

The TARWNT container handler recognises and decodes TAR archives.

For example:

[TAR]
ContainerClass=Container

CMPWNT

The CMPWNT container handler recognises and decodes files compressed by the Unix utility compress.

For example:

[CMP]
ContainerClass=Container


IMGWNT

The IMGWNT container handler recognises image files, including, GIF, TIFF, JPEG, BMP and AVI.

For example:

[IMAGE]

ContainerClass=Image

Image files can subsequently be blocked by using a configured VALATTR instance to check the value of the ContainerName attribute. See page 7-81 for more details on VALATTR.

CDAWNT

The CDAWNT container handler recognises Compound Document Architecture files such as Microsoft Word documents. Disassembly of a CDA document is achieved by extracting each data stream held within it. This facilitates validation of embedded objects found within the document.

For example:

[CDA]
ContainerClass=Document

The more common attributes that CDAWNT sets are:

Misrosoft File Type Applied CDA Attribute `CDAClassName'
Excel Worksheet `Microsoft Excel Worksheet'
PowerPoint Presentation `Microsoft PowerPoint Presentation'
Word Document `Microsoft Word Document'1
Project 4.0 Project `Microsoft Project 4.0 Project'
1 Different word versions will set different strings.

GZPWNT

The GZPWNT container handler recognises and decodes GZIP files.

For example:

[GZIP]
ContainerClass=Container

PDFWNT

The PDFWNT container handler recognises and decodes PDF (portable document format) files.

For example:

[PDF]
ContainerClass=InertDocument

The InertDocument container class is designed to recognise documents which are simple formatted text, such as PDF files. These documents do not represent a threat since they cannot contain macros or executables.

CAHEXE

The CAHEXE container handler recognises application executable files. The executable types recognised are DOS, Windows 3.1 and Windows NT executables.

For example:

[EXE]
ContainerClass=Executable

The CAHEXE container handler sets the ContainerName attribute on a component to the appropriate executable type, that is, DosExe, Win31, Win32Unknown, Win32Exe, Win32Dll.

The ContainerName attribute can also be used at a later stage, to facilitate the blocking of messages that contain executables.

CAHCHSET

The CAHCHSET container handler recognises files based on the character sets found within them. It can be used to determine if a data component contains plain text or binary.

The configuration section uses one directive, called CHARSET. This directive is used to build up the character set the container handler will use.

The value of the directive can take one of the forms:

Value Meaning Example
X ASCII character A
X-X range of ASCII characters A-Z
\nnn decimal ASCII code of characters \012
\nnn-\nnn range of decimal ASCII codes of characters \032-\126
\t horizontal tab \t
\n linefeed \n
\r carriage return \r

For example:

[PlainText]
ContainerClass=Text
CHARSET=\032-\126
CHARSET=\012
CHARSET=A-Z
CHARSET=a-z
CHARSET=0-9
CHARSET=\032
CHARSET=\t
CHARSET=\r
CHARSET=\n
CHARset=\163

The container handler configured in this example recognises plain text, that is, the printable ASCII characters and also space, tab, carriage return, linefeed and formfeed characters.

Another example is:

[Binary]
ContainerClass=Binary
CHARSET=\0-\255

The container handler configured in this example recognises binary files, that is, the character set for the complete byte value range.

TNEWNT

The TNEWNT container handler recognises and decodes Transport Neutral Encapsulation Format data.

For example:

[TNEF]
ContainerClass=Container

TNEF is used by Microsoft Exchange to encapsulate MAPI properties not supported by an intermediate mail system.

ARJWNT

The ARJWNT container handler recognises and decodes ARJ archives.

For example:

[ARJ]
ContainerClass=Container

LZHWNT

The LZHWNT container handler recognises and decodes LZH and LHA archives.

For example:

[LZH]
ContainerClass=Container

PGPWNT

The PGPWNT container handler recognises ASCII and PGP files, both signed and encrypted. Encrypted data is encoded such that only the intended recipient is capable of decoding it. Signed data contains a signature which can be used to check that it has not been tampered with.

For example:

[PGP]
ContainerClass=Container
This container handler is capable of extracting items from ASCII signed files however, it is unable to extract data from binary or encrypted PGP files.

JAVAWNT

The JAVAWNT container handler recognises Java applets that may be embedded in documents or Web pages.

For example:

[JAVA]
ContainerClass=Container

File formats

A list of the file formats supported by MIMEsweeper is given below. See the [Packaging] section, on page 7-57, for further details on how these formats are recognised.

MIMEsweeper identifies the following file formats:

MIMEsweeper identifies and disassembles the following file formats:

MIMEsweeper identifies the following file formats and extracts the streams within:

WEBsweeper identifies the following file formats and extracts the streams within:

The anti-virus tools used with MIMEsweeper may support additional file formats to those listed.

 



[Top] [Prev] [Next] [Bottom]


msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.