Zip file bypassing scan

Konstantin myownletters at gmail.com
Wed May 27 22:13:25 CEST 2015 

Hi,

Today I found the same behaviour with following zip file.
In $log_level=5 i see that amavis see content of zip archive
(Docs-5280.exe) but did not block it.
If I extract the Docs-5280.exe file and place it into another zip file,
that zip file is correctly identified as
containing an .exe, and rejected by the server.

Can anyone make a test from your side?

I have CentOS 6 with amavisd-new-2.8.0

== THE CONTAINED EXE FILE CONTAINS TROJAN ==
Original file: https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0

Thank you.

2015-04-24 1:08 GMT+03:00 Thomas Spuhler <thomas.spuhler at btspuhler.com>:

> On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:
> > Hello,
> >
> > This morning our mailserver (Postfix+Amavis) had a virus pass through to
> > our users. The file was an .exe file within a .zip file. The server is
> > configured to block .exe files with $banned_filename_re, but this one
> > slipped by. After setting $log_level to 5, it seems that the ZIP file
> > was never decoded by amavis, but allowed to pass unscanned. ClamAV
> > missed the virus as well, but it should have never made it to that point
> > anyway. The strangest thing is, if I extract the .exe file and place it
> > into a "new" zip file, that zip file is correctly identified as
> > containing an .exe, and blocked by the server.
> >
> > I've gone so far as to override the default zip decoding, using 7zip:
> >
> >     @decoders = (
> >         ['zip', \&do_7zip, ['7z', '7za'] ]
> >     );
> >
> > and the same behaviour is exhibited.
> >
> > Versions:
> > Ubuntu 10.04
> > amavisd-new-2.6.4
> >
> > I realize this version is quite out of date, and that may be the
> > ultimate cause of the issue (working on testing this theory), but in
> > case it isn't I wanted to let someone know.
> >
> > I've made available the original and "new" zip files on Dropbox:
> > == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==
> > Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip
> > New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip
>
> The exe file is detected here.
> I downloaded your Original.zip from the dropbox and attached it to an
> e-mail I sent to myself.
> See the attachment what happened.
> Of course, it didn't find the virus since the exe file was blocked before
> it go to the virus scanner
>
> --
> Best regards
> Thomas Spuhler
>
> All of my e-mails have a valid digital signature
> ID 60114E63




-- 
*This message was delivered using 100% recycled electrons*.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150527/1234eb80/attachment.html>

More information about the amavis-users mailing list