Zip file bypassing scan

Brendan Zerr brendanz at cpdist.ca
Thu Apr 23 22:24:19 CEST 2015


Hello,

This morning our mailserver (Postfix+Amavis) had a virus pass through to
our users. The file was an .exe file within a .zip file. The server is
configured to block .exe files with $banned_filename_re, but this one
slipped by. After setting $log_level to 5, it seems that the ZIP file
was never decoded by amavis, but allowed to pass unscanned. ClamAV
missed the virus as well, but it should have never made it to that point
anyway. The strangest thing is, if I extract the .exe file and place it
into a "new" zip file, that zip file is correctly identified as
containing an .exe, and blocked by the server.

I've gone so far as to override the default zip decoding, using 7zip:

    @decoders = (
        ['zip', \&do_7zip, ['7z', '7za'] ]
    );

and the same behaviour is exhibited.

Versions:
Ubuntu 10.04
amavisd-new-2.6.4

I realize this version is quite out of date, and that may be the
ultimate cause of the issue (working on testing this theory), but in
case it isn't I wanted to let someone know.

I've made available the original and "new" zip files on Dropbox:
== THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==
Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip
New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip


More information about the amavis-users mailing list