Zip file bypassing scan

Thomas Spuhler thomas.spuhler at btspuhler.com
Fri Apr 24 00:08:18 CEST 2015 

On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:
> Hello,
> 
> This morning our mailserver (Postfix+Amavis) had a virus pass through to
> our users. The file was an .exe file within a .zip file. The server is
> configured to block .exe files with $banned_filename_re, but this one
> slipped by. After setting $log_level to 5, it seems that the ZIP file
> was never decoded by amavis, but allowed to pass unscanned. ClamAV
> missed the virus as well, but it should have never made it to that point
> anyway. The strangest thing is, if I extract the .exe file and place it
> into a "new" zip file, that zip file is correctly identified as
> containing an .exe, and blocked by the server.
> 
> I've gone so far as to override the default zip decoding, using 7zip:
> 
>     @decoders = (
>         ['zip', \&do_7zip, ['7z', '7za'] ]
>     );
> 
> and the same behaviour is exhibited.
> 
> Versions:
> Ubuntu 10.04
> amavisd-new-2.6.4
> 
> I realize this version is quite out of date, and that may be the
> ultimate cause of the issue (working on testing this theory), but in
> case it isn't I wanted to let someone know.
> 
> I've made available the original and "new" zip files on Dropbox:
> == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==
> Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip
> New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip

The exe file is detected here.
I downloaded your Original.zip from the dropbox and attached it to an e-mail I sent to myself.
See the attachment what happened.
Of course, it didn't find the virus since the exe file was blocked before it go to the virus scanner

-- 
Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Original.pdf
Type: application/pdf
Size: 15383 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150423/597a7aef/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150423/597a7aef/attachment.sig>

More information about the amavis-users mailing list