Zip file bypassing scan
a.helwig at heinlein-support.de
Thu May 28 11:44:58 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Update your "file" package to the latest version.
could be that your file does not detect .zip as zip file and did't
unpack the zip.
Simply check the result of "file $filename.zip" if result is Zip archive
On 05/27/2015 11:22 PM, Thomas Spuhler wrote:
> On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote:
>> Today I found the same behaviour with following zip file.
>> In $log_level=5 i see that amavis see content of zip archive
>> (Docs-5280.exe) but did not block it.
>> If I extract the Docs-5280.exe file and place it into another zip file,
>> that zip file is correctly identified as
>> containing an .exe, and rejected by the server.
>> Can anyone make a test from your side?
>> I have CentOS 6 with amavisd-new-2.8.0
>> == THE CONTAINED EXE FILE CONTAINS TROJAN ==
>> Original file: https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0
>> Thank you.
>> 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <thomas.spuhler at btspuhler.com>:
>>> On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:
>>>> This morning our mailserver (Postfix+Amavis) had a virus pass
>>>> our users. The file was an .exe file within a .zip file. The server is
>>>> configured to block .exe files with $banned_filename_re, but this one
>>>> slipped by. After setting $log_level to 5, it seems that the ZIP file
>>>> was never decoded by amavis, but allowed to pass unscanned. ClamAV
>>>> missed the virus as well, but it should have never made it to that
>>>> anyway. The strangest thing is, if I extract the .exe file and place it
>>>> into a "new" zip file, that zip file is correctly identified as
>>>> containing an .exe, and blocked by the server.
>>>> I've gone so far as to override the default zip decoding, using 7zip:
>>>> @decoders = (
>>>> ['zip', \&do_7zip, ['7z', '7za'] ]
>>>> and the same behaviour is exhibited.
>>>> Ubuntu 10.04
>>>> I realize this version is quite out of date, and that may be the
>>>> ultimate cause of the issue (working on testing this theory), but in
>>>> case it isn't I wanted to let someone know.
>>>> I've made available the original and "new" zip files on Dropbox:
>>>> == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==
>>>> Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip
>>>> New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip
>>> The exe file is detected here.
>>> I downloaded your Original.zip from the dropbox and attached it to an
>>> e-mail I sent to myself.
>>> See the attachment what happened.
>>> Of course, it didn't find the virus since the exe file was blocked
>>> it go to the virus scanner
>>> Best regards
>>> Thomas Spuhler
>>> All of my e-mails have a valid digital signature
>>> ID 60114E63
> I downloaded the zip file from your link. Attached it to an e-mail to
my wife's e-mail address (same
> server as mine) and the e-mail didn't get delivered. I got a message
(as admin) that it was
> See the details of the message in the attachment. Do you really have
an unzip program installed?
> I am using p7zip-9.20.1 for it. and for .exe /usr/bin/lha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the amavis-users