Zip file bypassing scan

Thomas Spuhler thomas.spuhler at btspuhler.com
Wed May 27 23:22:49 CEST 2015


On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote:
> Hi,
> 
> Today I found the same behaviour with following zip file.
> In $log_level=5 i see that amavis see content of zip archive
> (Docs-5280.exe) but did not block it.
> If I extract the Docs-5280.exe file and place it into another zip file,
> that zip file is correctly identified as
> containing an .exe, and rejected by the server.
> 
> Can anyone make a test from your side?
> 
> I have CentOS 6 with amavisd-new-2.8.0
> 
> == THE CONTAINED EXE FILE CONTAINS TROJAN ==
> Original file: https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0
> 
> Thank you.
> 
> 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <thomas.spuhler at btspuhler.com>:
> > On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:
> > > Hello,
> > > 
> > > This morning our mailserver (Postfix+Amavis) had a virus pass through to
> > > our users. The file was an .exe file within a .zip file. The server is
> > > configured to block .exe files with $banned_filename_re, but this one
> > > slipped by. After setting $log_level to 5, it seems that the ZIP file
> > > was never decoded by amavis, but allowed to pass unscanned. ClamAV
> > > missed the virus as well, but it should have never made it to that point
> > > anyway. The strangest thing is, if I extract the .exe file and place it
> > > into a "new" zip file, that zip file is correctly identified as
> > > containing an .exe, and blocked by the server.
> > > 
> > > I've gone so far as to override the default zip decoding, using 7zip:
> > >     @decoders = (
> > >     
> > >         ['zip', \&do_7zip, ['7z', '7za'] ]
> > >     
> > >     );
> > > 
> > > and the same behaviour is exhibited.
> > > 
> > > Versions:
> > > Ubuntu 10.04
> > > amavisd-new-2.6.4
> > > 
> > > I realize this version is quite out of date, and that may be the
> > > ultimate cause of the issue (working on testing this theory), but in
> > > case it isn't I wanted to let someone know.
> > > 
> > > I've made available the original and "new" zip files on Dropbox:
> > > == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==
> > > Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip
> > > New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip
> > 
> > The exe file is detected here.
> > I downloaded your Original.zip from the dropbox and attached it to an
> > e-mail I sent to myself.
> > See the attachment what happened.
> > Of course, it didn't find the virus since the exe file was blocked before
> > it go to the virus scanner
> > 
> > --
> > Best regards
> > Thomas Spuhler
> > 
> > All of my e-mails have a valid digital signature
> > ID 60114E63

Konstantin:
I downloaded the zip file from your link. Attached it to an e-mail to my wife's e-mail address (same 
server as mine) and the e-mail didn't get delivered. I got a message (as admin) that it was 
rejected. 
See the details of the message in the attachment. Do you really have an unzip program installed? 
I am using p7zip-9.20.1 for it. and for  .exe   /usr/bin/lha
 

-- 
Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ZIP_Exe.pdf
Type: application/pdf
Size: 24946 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150527/5d08ce6f/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150527/5d08ce6f/attachment.sig>


More information about the amavis-users mailing list