exe not banned in zip file

William Bernard - Hanlees Dealership Group william.bernard at hanlees.net
Mon Jun 8 23:10:22 CEST 2015


Hello, 


I recently came across a zip file attachment containing a malware exe that is not being banned by amavis. 
The amavis configuration allows for zip but not exe files. 


If amavis is configured to ban zip files, amavis does recognize the file as zip and bans it. 


If the exe is unzipped first then sent, amavis does recognize the file as exe and bans it. 


I checked and amavis is using the internal decoder for .zip files, which is able to manually unarchive the file. 
I also tried to set the decoder to use 7z for zip, but the exe was still not banned. 


Oddly, the maillog shows no warnings or errors. All other zip files containging exe's are properly banned. 


This is using amavisd-new-2.6.6 running on Ubuntu 10.04.4 LTS x64. 


The malware contained in the zip is dyreza, more info about the file can be found here. 


https://www.virustotal.com/en/file/d60e70b89a9c8179bb7486d8a447d3100cfcff598746eaf9bffa15589e5eb9e8/analysis/ 







Regards 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150608/5e5f8e31/attachment.html>


More information about the amavis-users mailing list