Zip file bypassing scan

Konstantin myownletters at gmail.com
Thu May 28 19:54:23 CEST 2015


I have decoders installed. Previously all exe files in .zip were rejected.

Found decoder for    .zip  at /usr/bin/7za
Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/unarj
p7zip-9.20.1-2.el6.x86_64
lha-1.14i-19.2.2.el6.rf.x86_64

It seems that file-5.04-21.el6.x86_64 is the old one. But it is latest
version available in base repo (
# file invoice.zip
invoice.zip: data

On my ArchLinux desktop i have file-5.22-1
$ file Downloads/invoice.zip
Downloads/invoice.zip: Zip archive data

Will look how to update it on CentOS 6.

Thanks for the help.


2015-05-28 12:44 GMT+03:00 Andre Helwig <a.helwig at heinlein-support.de>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Update your "file" package to the latest version.
>
> could be that your file does not detect .zip as zip file and did't
> unpack the zip.
>
> Simply check the result of "file $filename.zip" if result is Zip archive
> data..
>
> Cheers
>
> On 05/27/2015 11:22 PM, Thomas Spuhler wrote:
> > On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote:
> >> Hi,
> >>
> >> Today I found the same behaviour with following zip file.
> >> In $log_level=5 i see that amavis see content of zip archive
> >> (Docs-5280.exe) but did not block it.
> >> If I extract the Docs-5280.exe file and place it into another zip file,
> >> that zip file is correctly identified as
> >> containing an .exe, and rejected by the server.
> >>
> >> Can anyone make a test from your side?
> >>
> >> I have CentOS 6 with amavisd-new-2.8.0
> >>
> >> == THE CONTAINED EXE FILE CONTAINS TROJAN ==
> >> Original file:
> https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0
> >>
> >> Thank you.
> >>
> >> 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <thomas.spuhler at btspuhler.com
> >:
> >>> On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote:
> >>>> Hello,
> >>>>
> >>>> This morning our mailserver (Postfix+Amavis) had a virus pass
> through to
> >>>> our users. The file was an .exe file within a .zip file. The server is
> >>>> configured to block .exe files with $banned_filename_re, but this one
> >>>> slipped by. After setting $log_level to 5, it seems that the ZIP file
> >>>> was never decoded by amavis, but allowed to pass unscanned. ClamAV
> >>>> missed the virus as well, but it should have never made it to that
> point
> >>>> anyway. The strangest thing is, if I extract the .exe file and place
> it
> >>>> into a "new" zip file, that zip file is correctly identified as
> >>>> containing an .exe, and blocked by the server.
> >>>>
> >>>> I've gone so far as to override the default zip decoding, using 7zip:
> >>>>     @decoders = (
> >>>>
> >>>>         ['zip', \&do_7zip, ['7z', '7za'] ]
> >>>>
> >>>>     );
> >>>>
> >>>> and the same behaviour is exhibited.
> >>>>
> >>>> Versions:
> >>>> Ubuntu 10.04
> >>>> amavisd-new-2.6.4
> >>>>
> >>>> I realize this version is quite out of date, and that may be the
> >>>> ultimate cause of the issue (working on testing this theory), but in
> >>>> case it isn't I wanted to let someone know.
> >>>>
> >>>> I've made available the original and "new" zip files on Dropbox:
> >>>> == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST ==
> >>>> Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip
> >>>> New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip
> >>>
> >>> The exe file is detected here.
> >>> I downloaded your Original.zip from the dropbox and attached it to an
> >>> e-mail I sent to myself.
> >>> See the attachment what happened.
> >>> Of course, it didn't find the virus since the exe file was blocked
> before
> >>> it go to the virus scanner
> >>>
> >>> --
> >>> Best regards
> >>> Thomas Spuhler
> >>>
> >>> All of my e-mails have a valid digital signature
> >>> ID 60114E63
> >
> > Konstantin:
> > I downloaded the zip file from your link. Attached it to an e-mail to
> my wife's e-mail address (same
> > server as mine) and the e-mail didn't get delivered. I got a message
> (as admin) that it was
> > rejected.
> > See the details of the message in the attachment. Do you really have
> an unzip program installed?
> > I am using p7zip-9.20.1 for it. and for  .exe   /usr/bin/lha
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJVZuOZAAoJEAoTNwRDnEhRXDcIAJe+mVhdb6ADaHT4NVv7I5sW
> sDz0pozLedmeidjfgLxDroGgW/DFJ0eYAcD45vnsfBsGnTpyjVX8YXOh603ffXLw
> tHFtfxFQ8TnAojQAcURc5gGbTYsNzDBZA0bybUiyhP1eo7H5beWcpxkJLra4weLJ
> 7qwj2r+LfiA43ayUEr5aOSr+y2nL18JeRexfUCE8wQ6OJM2LHxJ/mXdgpKM3R9xf
> JtrFDjSHYXe7lpGtrBld5e2UbGTiQDfHCBV75WeNkzTMdxMPCWkSzLfAFXHuVXvQ
> Cwgxr6J5niqcBnB2AE+8LiI89mFpJoYyjhn4DBdzcBVNxEUykMCG6qOQs6eO+9U=
> =kDqy
> -----END PGP SIGNATURE-----
>
>


-- 
*This message was delivered using 100% recycled electrons*.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150528/69afc4e0/attachment.html>


More information about the amavis-users mailing list