Exim: Blocking Windows Executables with Exiscan

Top > Notes > Exim: Blocking Windows Executables with Exiscan

Assuming you have Exim4 with the exiscan patches installed, you can use a simple regex to block mails that appear to be Windows executables. See :-

http://www.exim.org/ for information on Exim.
http://duncanthrax.net/exiscan-acl/ for information on exiscan-acl patches.

    	deny message = Windows Executables not accepted here
	     regex = ^TV[nopqr][A-Z]...[AB]..A.A
	     # Previous regex was ^TVqQAAM

This looks for the sequence at the start of every line in the received message which is unfortunately not quite what is needed. It would be better to search just the first line of base64. There is a small chance of a false positive, but from what I can tell it is very small (*).

This does not catch anything other than Base64 encoded executables ... there are plenty of other avenues for malware. So no promises, but it can cut down on the noise for Unix-only sites, and in combination with a good virus checker can reduce mail server load and may stop new virus infections.

The regexp given above was obtained from a recent posting to the Exim mailing list. The previous regexp was worked out by me (but misses numerous executables).

Probability of False Positives

This is a naive calculation of the probability of a false positive using basic probability. A "false positive" is defined as an attachment being blocked as executable when it is not.

      P(false_positive) = (chance of getting 'T' in first position in line) x
      			  (chance of getting 'V' in second position in line) x
			  (chance of getting 'n', 'o', 'p', 'q', or 'r') x
			  (chance of getting anything from 'A' to 'Z') x
			  (chance of getting 'A' or 'B') x
			  (chance of getting 'A') x
			  (chance of getting 'A')
      P(false_positive) = 1/64 x 1/64 x 5/64 x 26/64 x 2/64 x 1/64 x 1/64
      P(false_positive) = 260/64^7
      P(false_positive) = 65/1099511627776
      P(false_positive) = 1/16915563504 (approx)

The above is the probability of a false positive for each base64 line of an attachment. Given that each Kbyte consumes approximately 18 lines of base64, the probability for an 8Mbyte attachment would be :-

      P(8Mbyte_fp) = P(false_positive) * 8192 * 18
      P(8Mbyte_fp) = 692705/79617130496
      P(8Mbyte_fp) = 1/114936.5 (approx)

So for every 1,000,000 attachments that are 8Mbytes in size, you will get less than 9 false positives. This seems a reasonably small risk especially as most attachments are less than 8Mbytes.

I chose 8Mbytes as an attachment size because the mail server I run limits attachments to less than that. Bear in mind that the figures given above are not always what I worked with, so if you re-calculate with the figures above you will get a slightly different result.