Executables within docx files?

Alex via amavis-users amavis-users at amavis.org
Tue Nov 5 02:16:37 CET 2013


I'm sorry to resurrect a month-old thread, but I'm still having a
problem and it hasn't yet been fixed upstream.

If you recall this thread, the problem is with 'file' misidentifying
docx files with [trash]/0001.dat files in them as ARCHIVES,
potentially resulting in them being tagged as a virus.

On Fri, Sep 6, 2013 at 9:34 AM, Patrik Båt <pb at osix.eu> wrote:
> On fre  6 sep 2013 01:35:30, Alex wrote:
>> Hi,
>>>> Running latest file, will not return ARCHIVE and amavis will not
>>>> extract it and .dat or .dat (catche-all) will not trigger, so update
>>>> file and your magics.
>>>> thats how i solved it.
>>>> eg:
>>>> file ./test1.docx
>>>> ./test1.docx: Microsoft Word 2007+
>>> Can you confirm what version that's working for you? I'd like to be
>>> able to grab the one from fc19 if possible.
>> Turns out fc19 doesn't work properly.
>> I updated the fc19 RPM with the 5.14 source, and it also fails.
>> It would be great if you could confirm which version is working for
>> you, and if you could identify the magic pattern that's used so I can
>> reference it on my system.
>> Thanks!
>> Alex
> I'm using file from debian sid repo.

This hasn't yet been fixed in file proper. Can you either forward me
your magic files or have any idea how I can get this fixed with

I tried writing an exclusion in amavisd:

  [ qr'^\[trash\]/[0-9a-f]{4}\.dat$'       => 0 ],  # allow any in
Unix-type archives

but apparently it doesn't work, because another docx file was tagged.

Any ideas greatly appreciated.

More information about the amavis-users mailing list