Zip file bypassing scan

Thomas Spuhler thomas.spuhler at
Fri Apr 24 00:08:18 CEST 2015

On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:
> Hello,
> This morning our mailserver (Postfix+Amavis) had a virus pass through to
> our users. The file was an .exe file within a .zip file. The server is
> configured to block .exe files with $banned_filename_re, but this one
> slipped by. After setting $log_level to 5, it seems that the ZIP file
> was never decoded by amavis, but allowed to pass unscanned. ClamAV
> missed the virus as well, but it should have never made it to that point
> anyway. The strangest thing is, if I extract the .exe file and place it
> into a "new" zip file, that zip file is correctly identified as
> containing an .exe, and blocked by the server.
> I've gone so far as to override the default zip decoding, using 7zip:
>     @decoders = (
>         ['zip', \&do_7zip, ['7z', '7za'] ]
>     );
> and the same behaviour is exhibited.
> Versions:
> Ubuntu 10.04
> amavisd-new-2.6.4
> I realize this version is quite out of date, and that may be the
> ultimate cause of the issue (working on testing this theory), but in
> case it isn't I wanted to let someone know.
> I've made available the original and "new" zip files on Dropbox:
> Original:
> New:

The exe file is detected here.
I downloaded your from the dropbox and attached it to an e-mail I sent to myself.
See the attachment what happened.
Of course, it didn't find the virus since the exe file was blocked before it go to the virus scanner

Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Original.pdf
Type: application/pdf
Size: 15383 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the amavis-users mailing list