This zip file passes the .exe banning why?

[Thomas Jarosch]

On Monday, 11. April 2016 18:08:19 Alessandro Briosi wrote:
> The odd thing is that it still passes if I enable the following (The
> #don't trust Archive::Zip part), which was commented before.
> 
> @keep_decoded_original_maps = (new_RE(
> # qr'^MAIL$',   # retain full original message for virus checking (can
> be slow)
>   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
> undecipherables
>   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
>   qr'^Zip archive data',     # don't trust Archive::Zip
> ));
> 
> And on the server using unzip works correctly.

@keep_decoded_original_maps just keeps the .zip file around.
Since you don't block .zip files, it's more or less by design it passes.

Or do you mean "it passes the virus scanner"?

That's a matter of how fast the AV vendor gets
the sample and adds (generic) detection for it.

Thomas