Fwd: zip file with pif executable not detected

Eugenio De Vena edevena at gsy.it
Mon Sep 1 18:30:47 CEST 2014






	

	

	

	



It seems that recent trojans come with a 'zip encoding' format that is
not detected as a compressed file by Amavis. Since it is not detected as
compressed , no depacking is done and not banning file. So executable
can trespass. The Unix "file" command states it as a "dat" file, so:

Sep  1 11:58:02 fwlinux2 amavis[17845]: (17845-18) check_for_banned
(p003,p002) multipart/mixed | application/zip,.dat,Ordine.doc.zip
Sep  1 11:58:02 fwlinux2 amavis[17845]: (17845-18) doing banned check
for edevena at gsy.it on multipart/mixed | application/zip,.dat,Ordine.doc.zip
Sep  1 11:58:02 fwlinux2 amavis[17845]: (17845-18)
lookup_re(["multipart/mixed","application/zip",".dat","Ordine.doc.zip"]), no
matches

while if the same EXE is zipped by hand with (e.g.) Winrar

Sep  1 11:27:19 fwlinux2 amavis[17833]: (17833-05) check_for_banned
(p003,p002,p004) multipart/mixed | application/zip,.zip,Nuovo WinRAR ZIP
archive.zip | .exe,.exe-ms,Ordine.doc.pif
Sep  1 11:27:19 fwlinux2 amavis[17833]: (17833-05) doing banned check
for edevena at gsy.it on multipart/mixed | application/zip,.zip,Nuovo
WinRAR ZIP archive.zip | .exe,.exe-ms,Ordine.doc.pif
Sep  1 11:27:19 fwlinux2 amavis[17833]: (17833-05)
lookup_re(["multipart/mixed","application/zip",".zip","Nuovo WinRAR ZIP
archive.zip",".exe",".exe-ms","Ordine.doc.pif"]) matches key
"(?-xism:^.(exe-ms|dll|pif)$)", result="1"


SO what is needed is that amavis "recognizes" the attachment as
"compressed file" not just by "file" command but even by extension
(.zip) or that "file" command recognizes that file as "zip"

Any ideas ?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20140901/544fe2a8/attachment.html>


More information about the amavis-users mailing list