<div dir="ltr"><div>I have decoders installed. Previously all exe files in .zip were rejected.<br><br>Found decoder for .zip at /usr/bin/7za<br>Found decoder for .exe at /usr/bin/unrar; /usr/bin/lha; /usr/bin/unarj<br>p7zip-9.20.1-2.el6.x86_64<br>lha-1.14i-19.2.2.el6.rf.x86_64<br><br>It seems that file-5.04-21.el6.x86_64 is the old one. But it is latest version available in base repo (<br></div># file invoice.zip <br>invoice.zip: data<br><br>On my ArchLinux desktop i have file-5.22-1<br><div>$ file Downloads/invoice.zip <br>Downloads/invoice.zip: Zip archive data<br><br></div><div>Will look how to update it on CentOS 6.<br><br></div><div>Thanks for the help.<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-28 12:44 GMT+03:00 Andre Helwig <span dir="ltr"><<a href="mailto:a.helwig@heinlein-support.de" target="_blank">a.helwig@heinlein-support.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Update your "file" package to the latest version.<br>
<br>
could be that your file does not detect .zip as zip file and did't<br>
unpack the zip.<br>
<br>
Simply check the result of "file $filename.zip" if result is Zip archive<br>
data..<br>
<br>
Cheers<br>
<div><div class="h5"><br>
On 05/27/2015 11:22 PM, Thomas Spuhler wrote:<br>
> On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote:<br>
>> Hi,<br>
>><br>
>> Today I found the same behaviour with following zip file.<br>
>> In $log_level=5 i see that amavis see content of zip archive<br>
>> (Docs-5280.exe) but did not block it.<br>
>> If I extract the Docs-5280.exe file and place it into another zip file,<br>
>> that zip file is correctly identified as<br>
>> containing an .exe, and rejected by the server.<br>
>><br>
>> Can anyone make a test from your side?<br>
>><br>
>> I have CentOS 6 with amavisd-new-2.8.0<br>
>><br>
>> == THE CONTAINED EXE FILE CONTAINS TROJAN ==<br>
>> Original file: <a href="https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0" target="_blank">https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0</a><br>
>><br>
>> Thank you.<br>
>><br>
>> 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <<a href="mailto:thomas.spuhler@btspuhler.com">thomas.spuhler@btspuhler.com</a>>:<br>
>>> On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:<br>
>>>> Hello,<br>
>>>><br>
>>>> This morning our mailserver (Postfix+Amavis) had a virus pass<br>
through to<br>
>>>> our users. The file was an .exe file within a .zip file. The server is<br>
>>>> configured to block .exe files with $banned_filename_re, but this one<br>
>>>> slipped by. After setting $log_level to 5, it seems that the ZIP file<br>
>>>> was never decoded by amavis, but allowed to pass unscanned. ClamAV<br>
>>>> missed the virus as well, but it should have never made it to that<br>
point<br>
>>>> anyway. The strangest thing is, if I extract the .exe file and place it<br>
>>>> into a "new" zip file, that zip file is correctly identified as<br>
>>>> containing an .exe, and blocked by the server.<br>
>>>><br>
>>>> I've gone so far as to override the default zip decoding, using 7zip:<br>
>>>> @decoders = (<br>
>>>><br>
>>>> ['zip', \&do_7zip, ['7z', '7za'] ]<br>
>>>><br>
>>>> );<br>
>>>><br>
>>>> and the same behaviour is exhibited.<br>
>>>><br>
>>>> Versions:<br>
>>>> Ubuntu 10.04<br>
>>>> amavisd-new-2.6.4<br>
>>>><br>
>>>> I realize this version is quite out of date, and that may be the<br>
>>>> ultimate cause of the issue (working on testing this theory), but in<br>
>>>> case it isn't I wanted to let someone know.<br>
>>>><br>
>>>> I've made available the original and "new" zip files on Dropbox:<br>
>>>> == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==<br>
>>>> Original: <a href="https://www.dropbox.com/s/modnz533k4swum7/Original.zip" target="_blank">https://www.dropbox.com/s/modnz533k4swum7/Original.zip</a><br>
>>>> New: <a href="https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip" target="_blank">https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip</a><br>
>>><br>
>>> The exe file is detected here.<br>
>>> I downloaded your Original.zip from the dropbox and attached it to an<br>
>>> e-mail I sent to myself.<br>
>>> See the attachment what happened.<br>
>>> Of course, it didn't find the virus since the exe file was blocked<br>
before<br>
>>> it go to the virus scanner<br>
>>><br>
>>> --<br>
>>> Best regards<br>
>>> Thomas Spuhler<br>
>>><br>
>>> All of my e-mails have a valid digital signature<br>
>>> ID 60114E63<br>
><br>
> Konstantin:<br>
> I downloaded the zip file from your link. Attached it to an e-mail to<br>
my wife's e-mail address (same<br>
> server as mine) and the e-mail didn't get delivered. I got a message<br>
(as admin) that it was<br>
> rejected.<br>
> See the details of the message in the attachment. Do you really have<br>
an unzip program installed?<br>
> I am using p7zip-9.20.1 for it. and for .exe /usr/bin/lha<br>
><br>
><br>
<br>
</div></div>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
<br>
iQEcBAEBAgAGBQJVZuOZAAoJEAoTNwRDnEhRXDcIAJe+mVhdb6ADaHT4NVv7I5sW<br>
sDz0pozLedmeidjfgLxDroGgW/DFJ0eYAcD45vnsfBsGnTpyjVX8YXOh603ffXLw<br>
tHFtfxFQ8TnAojQAcURc5gGbTYsNzDBZA0bybUiyhP1eo7H5beWcpxkJLra4weLJ<br>
7qwj2r+LfiA43ayUEr5aOSr+y2nL18JeRexfUCE8wQ6OJM2LHxJ/mXdgpKM3R9xf<br>
JtrFDjSHYXe7lpGtrBld5e2UbGTiQDfHCBV75WeNkzTMdxMPCWkSzLfAFXHuVXvQ<br>
Cwgxr6J5niqcBnB2AE+8LiI89mFpJoYyjhn4DBdzcBVNxEUykMCG6qOQs6eO+9U=<br>
=kDqy<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><b style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-size:8pt;color:rgb(152,72,6)"><span style="color:rgb(56,118,29)"><span style="background-color:rgb(255,255,255)">This message was delivered using 100% recycled</span></span><span><span style="color:rgb(56,118,29)"><span style="background-color:rgb(255,255,255)"> electrons</span></span></span></span></b><b style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-size:8pt;color:rgb(152,72,6)"><span></span></span></b>.<span style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(253,248,219);display:inline!important;float:none"></span></div></div>
</div>