<div dir="ltr"><div><div><div>Thomas,<br><br></div>I've updated 'file' package and that .zip file detected now.<br><br></div>I decided to check .rar files and found that decoder is unable to unpack them during scan.<br><br></div>My @decoders for rar:<br> ['rar', \&do_unrar, ['unrar', 'rar'] ],<br><div><br></div><div>I have unrar-5.0.3-1 installed on my server.<br></div><div><br></div><div>Can you please send any rar archive through your system?<br></div><div>Which decoder for rar you have?<br></div><div>Here is the debug log record:<br>May 29 21:08:22 amavis[2565]: (02565-02) File-type of p002: RAR archive data, v1d, os: Unix; (rar)<br>May 29 21:08:22 amavis[2565]: (02565-02) decompose_part: p001 - atomic<br>May 29 21:08:22 amavis[2565]: (02565-02) Expanding RAR archive p002<br>May 29 21:08:22 amavis[2565]: (02565-02) get_deadline do_unrar_pre - deadline in 600.0 s, set to 420.000 s<br>May 29 21:08:22 amavis[2565]: (02565-02) prolong_timer do_unrar_pre: timer 420, was 420, deadline in 600.0 s<br>May 29 21:08:22 amavis[2565]: (02565-02) run_command: [3256] /usr/bin/unrar v -c- -p- -idcdp -- /var/spool/amavisd/tmp/amavis-20150529T191447-02565-pRlWBcig/parts/p002 </dev/null 2>&1<br>May 29 21:08:22 amavis[3256]: (02565-02) open_on_specific_fd: target fd0 closing, to become < /dev/null<br>May 29 21:08:22 amavis[3256]: (02565-02) open_on_specific_fd: target fd1 closing, to become (65) &=13<br>May 29 21:08:22 amavis[3256]: (02565-02) open_on_specific_fd: target fd1 dup2 from fd13 (65) &=13<br>May 29 21:08:22 amavis[3256]: (02565-02) open_on_specific_fd: source fd13 closed<br>May 29 21:08:22 amavis[3256]: (02565-02) open_on_specific_fd: target fd2 closing, to become (65) &1<br>May 29 21:08:22 amavis[3256]: (02565-02) open_on_specific_fd: target fd2 dup2 from fd1 (65) &1<br>May 29 21:08:22 amavis[2565]: (02565-02) do_unrar: summary size: 42482, sum of sizes: 0<br>May 29 21:08:22 amavis[2565]: (02565-02) Charging 42482 bytes to remaining quota 29638424 (out of 29681000, (0%)) - by do_unrar-pre<br>May 29 21:08:22 amavis[2565]: (02565-02) do_unrar: no archive members, or not an archive at all<br>May 29 21:08:22 amavis[2565]: (02565-02) get_deadline do_unrar - deadline in 599.9 s, set to 420.000 s<br>May 29 21:08:22 amavis[2565]: (02565-02) prolong_timer do_unrar: timer 420, was 420, deadline in 599.9 s<br>May 29 21:08:22 amavis[2565]: (02565-02) lookup_re("RAR archive data, v1d, os: Unix"), no matches<br>May 29 21:08:22 amavis[2565]: (02565-02) lookup [keep_decoded_original] => undef, "RAR archive data, v1d, os: Unix" does not match<br>May 29 21:08:22 amavis[2565]: (02565-02) decompose_part: deleting /var/spool/amavisd/tmp/amavis-20150529T191447-02565-pRlWBcig/parts/p002<br>May 29 21:08:22 amavis[2565]: (02565-02) decompose_part: p002 - archive, unpacked<br>May 29 21:08:22 amavis[2565]: (02565-02) get_deadline parts_decode - deadline in 599.9 s, set to 420.000 s<br>May 29 21:08:22 amavis[2565]: (02565-02) prolong_timer parts_decode: timer 420, was 420, deadline in 599.9 s<br></div><div><div><br></div><div>Thank you.<br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-28 20:54 GMT+03:00 Konstantin <span dir="ltr"><<a href="mailto:myownletters@gmail.com" target="_blank">myownletters@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I have decoders installed. Previously all exe files in .zip were rejected.<br><br>Found decoder for .zip at /usr/bin/7za<br>Found decoder for .exe at /usr/bin/unrar; /usr/bin/lha; /usr/bin/unarj<br>p7zip-9.20.1-2.el6.x86_64<br>lha-1.14i-19.2.2.el6.rf.x86_64<br><br>It seems that file-5.04-21.el6.x86_64 is the old one. But it is latest version available in base repo (<br></div># file invoice.zip <br>invoice.zip: data<br><br>On my ArchLinux desktop i have file-5.22-1<br><div>$ file Downloads/invoice.zip <br>Downloads/invoice.zip: Zip archive data<br><br></div><div>Will look how to update it on CentOS 6.<br><br></div><div>Thanks for the help.<br></div><div><br></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">2015-05-28 12:44 GMT+03:00 Andre Helwig <span dir="ltr"><<a href="mailto:a.helwig@heinlein-support.de" target="_blank">a.helwig@heinlein-support.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Update your "file" package to the latest version.<br>
<br>
could be that your file does not detect .zip as zip file and did't<br>
unpack the zip.<br>
<br>
Simply check the result of "file $filename.zip" if result is Zip archive<br>
data..<br>
<br>
Cheers<br>
<div><div><br>
On 05/27/2015 11:22 PM, Thomas Spuhler wrote:<br>
> On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote:<br>
>> Hi,<br>
>><br>
>> Today I found the same behaviour with following zip file.<br>
>> In $log_level=5 i see that amavis see content of zip archive<br>
>> (Docs-5280.exe) but did not block it.<br>
>> If I extract the Docs-5280.exe file and place it into another zip file,<br>
>> that zip file is correctly identified as<br>
>> containing an .exe, and rejected by the server.<br>
>><br>
>> Can anyone make a test from your side?<br>
>><br>
>> I have CentOS 6 with amavisd-new-2.8.0<br>
>><br>
>> == THE CONTAINED EXE FILE CONTAINS TROJAN ==<br>
>> Original file: <a href="https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0" target="_blank">https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0</a><br>
>><br>
>> Thank you.<br>
>><br>
>> 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <<a href="mailto:thomas.spuhler@btspuhler.com" target="_blank">thomas.spuhler@btspuhler.com</a>>:<br>
>>> On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:<br>
>>>> Hello,<br>
>>>><br>
>>>> This morning our mailserver (Postfix+Amavis) had a virus pass<br>
through to<br>
>>>> our users. The file was an .exe file within a .zip file. The server is<br>
>>>> configured to block .exe files with $banned_filename_re, but this one<br>
>>>> slipped by. After setting $log_level to 5, it seems that the ZIP file<br>
>>>> was never decoded by amavis, but allowed to pass unscanned. ClamAV<br>
>>>> missed the virus as well, but it should have never made it to that<br>
point<br>
>>>> anyway. The strangest thing is, if I extract the .exe file and place it<br>
>>>> into a "new" zip file, that zip file is correctly identified as<br>
>>>> containing an .exe, and blocked by the server.<br>
>>>><br>
>>>> I've gone so far as to override the default zip decoding, using 7zip:<br>
>>>> @decoders = (<br>
>>>><br>
>>>> ['zip', \&do_7zip, ['7z', '7za'] ]<br>
>>>><br>
>>>> );<br>
>>>><br>
>>>> and the same behaviour is exhibited.<br>
>>>><br>
>>>> Versions:<br>
>>>> Ubuntu 10.04<br>
>>>> amavisd-new-2.6.4<br>
>>>><br>
>>>> I realize this version is quite out of date, and that may be the<br>
>>>> ultimate cause of the issue (working on testing this theory), but in<br>
>>>> case it isn't I wanted to let someone know.<br>
>>>><br>
>>>> I've made available the original and "new" zip files on Dropbox:<br>
>>>> == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==<br>
>>>> Original: <a href="https://www.dropbox.com/s/modnz533k4swum7/Original.zip" target="_blank">https://www.dropbox.com/s/modnz533k4swum7/Original.zip</a><br>
>>>> New: <a href="https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip" target="_blank">https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip</a><br>
>>><br>
>>> The exe file is detected here.<br>
>>> I downloaded your Original.zip from the dropbox and attached it to an<br>
>>> e-mail I sent to myself.<br>
>>> See the attachment what happened.<br>
>>> Of course, it didn't find the virus since the exe file was blocked<br>
before<br>
>>> it go to the virus scanner<br>
>>><br>
>>> --<br>
>>> Best regards<br>
>>> Thomas Spuhler<br>
>>><br>
>>> All of my e-mails have a valid digital signature<br>
>>> ID 60114E63<br>
><br>
> Konstantin:<br>
> I downloaded the zip file from your link. Attached it to an e-mail to<br>
my wife's e-mail address (same<br>
> server as mine) and the e-mail didn't get delivered. I got a message<br>
(as admin) that it was<br>
> rejected.<br>
> See the details of the message in the attachment. Do you really have<br>
an unzip program installed?<br>
> I am using p7zip-9.20.1 for it. and for .exe /usr/bin/lha<br>
><br>
><br>
<br>
</div></div>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
<br>
iQEcBAEBAgAGBQJVZuOZAAoJEAoTNwRDnEhRXDcIAJe+mVhdb6ADaHT4NVv7I5sW<br>
sDz0pozLedmeidjfgLxDroGgW/DFJ0eYAcD45vnsfBsGnTpyjVX8YXOh603ffXLw<br>
tHFtfxFQ8TnAojQAcURc5gGbTYsNzDBZA0bybUiyhP1eo7H5beWcpxkJLra4weLJ<br>
7qwj2r+LfiA43ayUEr5aOSr+y2nL18JeRexfUCE8wQ6OJM2LHxJ/mXdgpKM3R9xf<br>
JtrFDjSHYXe7lpGtrBld5e2UbGTiQDfHCBV75WeNkzTMdxMPCWkSzLfAFXHuVXvQ<br>
Cwgxr6J5niqcBnB2AE+8LiI89mFpJoYyjhn4DBdzcBVNxEUykMCG6qOQs6eO+9U=<br>
=kDqy<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br><br clear="all"><br></div></div><span class="">-- <br><div><div dir="ltr"><b style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-size:8pt;color:rgb(152,72,6)"><span style="color:rgb(56,118,29)"><span style="background-color:rgb(255,255,255)">This message was delivered using 100% recycled</span></span><span><span style="color:rgb(56,118,29)"><span style="background-color:rgb(255,255,255)"> electrons</span></span></span></span></b><b style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-size:8pt;color:rgb(152,72,6)"><span></span></span></b>.<span style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(253,248,219);display:inline!important;float:none"></span></div></div>
</span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><b style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-size:8pt;color:rgb(152,72,6)"><span style="color:rgb(56,118,29)"><span style="background-color:rgb(255,255,255)">This message was delivered using 100% recycled</span></span><span><span style="color:rgb(56,118,29)"><span style="background-color:rgb(255,255,255)"> electrons</span></span></span></span></b><b style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-size:8pt;color:rgb(152,72,6)"><span></span></span></b>.<span style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(253,248,219);display:inline!important;float:none"></span></div></div>
</div>