<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'><div><font face="times new roman, new york, times, serif"><span style="font-size: 12pt;"><br></span></font></div><font face="times new roman, new york, times, serif"><span style="font-size: 12pt;">Sorry for the duplicate thread, the a</span></font><span style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif;">nswer was found in a previous thread here..</span><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div><font face="times new roman, new york, times, serif">http://lists.amavis.org/pipermail/amavis-users/2015-May/003636.html</font></div><div><font face="times new roman, new york, times, serif"><br></font><br><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span name="x"></span><div><div><div><div>Regards<br><br></div></div></div></div><span name="x"></span><br></div><hr id="zwchr" style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><div style="color: rgb(0, 0, 0); font-family: Helvetica, Arial, sans-serif; font-size: 12pt; font-weight: normal; font-style: normal; text-decoration: none;"><b>From: </b>"William Bernard - Hanlees Dealership Group" <william.bernard@hanlees.net><br><b>To: </b>amavis-users@amavis.org<br><b>Sent: </b>Monday, June 8, 2015 2:10:22 PM<br><b>Subject: </b>exe not banned in zip file<br><br><style>p { margin: 0; }</style><div style="font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000"><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Hello,</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span style="font-size: 12pt;">I recently came across a zip file attachment containing a malware exe that is not being banned by amavis.</span></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">The amavis configuration allows for zip but not exe files.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">If amavis is configured to ban zip files, amavis does recognize the file as zip and bans it.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">If the exe is unzipped first then sent, amavis does recognize the file as exe and bans it.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">I checked and amavis is using the internal decoder for .zip files, which is able to manually unarchive the file.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">I also tried to set the decoder to use 7z for zip, but the exe was still not banned.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Oddly, the maillog shows no warnings or errors. All other zip files containging exe's are properly banned.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">This is using amavisd-new-2.6.6 running on Ubuntu 10.04.4 LTS x64.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">The malware contained in the zip is dyreza, more info about the file can be found here.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div><font face="times new roman, new york, times, serif">https://www.virustotal.com/en/file/d60e70b89a9c8179bb7486d8a447d3100cfcff598746eaf9bffa15589e5eb9e8/analysis/</font></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br><br><div><span></span><div><div><div><div>Regards<br></div></div></div></div></div></div></div></div><br></div></div></body></html>