Executables within docx files?

Alex via amavis-users amavis-users at amavis.org
Tue Nov 5 02:16:37 CET 2013


Hi,

I'm sorry to resurrect a month-old thread, but I'm still having a
problem and it hasn't yet been fixed upstream.

If you recall this thread, the problem is with 'file' misidentifying
docx files with [trash]/0001.dat files in them as ARCHIVES,
potentially resulting in them being tagged as a virus.

On Fri, Sep 6, 2013 at 9:34 AM, Patrik Båt <pb at osix.eu> wrote:
> On fre  6 sep 2013 01:35:30, Alex wrote:
>> Hi,
>>
>>>> Running latest file, will not return ARCHIVE and amavis will not
>>>> extract it and .dat or .dat (catche-all) will not trigger, so update
>>>> file and your magics.
>>>>
>>>> thats how i solved it.
>>>>
>>>> eg:
>>>> file ./test1.docx
>>>> ./test1.docx: Microsoft Word 2007+
>>>
>>> Can you confirm what version that's working for you? I'd like to be
>>> able to grab the one from fc19 if possible.
>>
>> Turns out fc19 doesn't work properly.
>>
>> I updated the fc19 RPM with the 5.14 source, and it also fails.
>>
>> It would be great if you could confirm which version is working for
>> you, and if you could identify the magic pattern that's used so I can
>> reference it on my system.
>>
>> Thanks!
>> Alex
>
> I'm using file from debian sid repo.

This hasn't yet been fixed in file proper. Can you either forward me
your magic files or have any idea how I can get this fixed with
fedora?

I tried writing an exclusion in amavisd:

  [ qr'^\[trash\]/[0-9a-f]{4}\.dat$'       => 0 ],  # allow any in
Unix-type archives

but apparently it doesn't work, because another docx file was tagged.

Any ideas greatly appreciated.
Thanks,
Alex


More information about the amavis-users mailing list