This zip file passes the .exe banning why?

Alessandro Briosi ab1 at metalit.com
Tue Apr 12 17:07:33 CEST 2016


Il 12/04/2016 16:34, Thomas Jarosch ha scritto:
> On Monday, 11. April 2016 18:08:19 Alessandro Briosi wrote:
>> > The odd thing is that it still passes if I enable the following (The
>> > #don't trust Archive::Zip part), which was commented before.
>> > 
>> > @keep_decoded_original_maps = (new_RE(
>> > # qr'^MAIL$',   # retain full original message for virus checking (can
>> > be slow)
>> >   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
>> > undecipherables
>> >   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
>> >   qr'^Zip archive data',     # don't trust Archive::Zip
>> > ));
>> > 
>> > And on the server using unzip works correctly.
> @keep_decoded_original_maps just keeps the .zip file around.
> Since you don't block .zip files, it's more or less by design it passes.
>
> Or do you mean "it passes the virus scanner"?
>
> That's a matter of how fast the AV vendor gets
> the sample and adds (generic) detection for it.
>
> Thomas
>

Ho, ok,

I thought the "# don't trust Archive::Zip" meant to use "unzip" and not
the perl library to handle zip files.

It passes the virus scanner, but that's because this kind of virus
(probably cryptolocker, don't get caught by most antivirus software)

Alessandro
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20160412/a9804cae/attachment.html>


More information about the amavis-users mailing list