This zip file passes the .exe banning why?
Alessandro Briosi
ab1 at metalit.com
Mon Apr 11 18:08:19 CEST 2016
Il 11/04/2016 16:58, Thomas Jarosch ha scritto:
> Hi Alessandro,
>
> On Monday, 11. April 2016 16:38:15 Alessandro Briosi wrote:
>> > This is what is detected:
>> > Apr 11 14:36:28 mail amavis[31751]: (31751-01) p003 1 Content-Type:
>> > multipart/mixed
>> > Apr 11 14:36:28 mail amavis[31751]: (31751-01) p001 1/1 Content-Type:
>> > text/plain, size: 564 B, name:
>> > Apr 11 14:36:28 mail amavis[31751]: (31751-01) p002 1/2 Content-Type:
>> > application/zip, size: 59784 B, name: documento_
>> > fatturaaccompagnatoria_.pdf.zip
>> >
>> > which seems pretty correct to me
>> >
>> > No white listing I can guess of.
>> > If I unzip the file and rezip it, then send an identical mail the file
>> > is blocked.
> the problem here is that the .exe file is not unzipped correctly.
> I could reproduce the problem locally.
>
> We've received a similar sample virus six weeks ago and privately informed
> the perl Archive::Zip maintainer. He's currently looking into it.
>
> I'll keep you posted once there's an update on this.
Ho, thank you.
The odd thing is that it still passes if I enable the following (The
#don't trust Archive::Zip part), which was commented before.
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can
be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
qr'^Zip archive data', # don't trust Archive::Zip
));
And on the server using unzip works correctly.
Alessandro
More information about the amavis-users
mailing list