detect and block ACE archive

Hoyer-Reuther, Christian Christian.Hoyer-Reuther at cac-chem.de
Fri Apr 20 11:22:11 CEST 2018


Hello Marcin,

here is how you can block ACE archives:

First you need to add the following line to $map_full_type_to_short_type_re in /usr/sbin/amavisd-new:

  $map_full_type_to_short_type_re = [
    …
    [qr/^ACE archive\b/i                   => 'ace-unwanted'],   <=== add this line
    …
  ];

This line maps the output of the file utility (…result line from file(1): p002: ACE archive data version 20…) to "ace-unwanted".

Then you add "ace-unwanted" to $banned_filename_re in your config:

$banned_filename_re = new_RE(
  …
  qr'^\.(ace-unwanted)$'i,     <=== add this line
  …
);

Regards,

Christian

Von: amavis-users [mailto:amavis-users-bounces+christian.hoyer-reuther=cac-chem.de at amavis.org] Im Auftrag von Marcin Rozek
Gesendet: Freitag, 20. April 2018 10:14
An: amavis-users at amavis.org
Betreff: detect and block ACE archive

Hello,
Recently, bad people try to send ransomware in ACE archive with .rar extension. Inside is .jse file.

Unfortunately, amavisd-new is passing this undetected (does not recognize ACE archive and can’t unpack it).

Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Extracting mime components from a string
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p001
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p002
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new pseudo part: p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p003 1 Content-Type: multipart/mixed
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 1551 bytes to remaining quota 25461000 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p001 1/1 Content-Type: text/plain, base64, size: 1551, SHA1 digest: 0ee8569abe1472ea4ddc0f5d2fd62cc13cbbe995
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p001 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 34500 bytes to remaining quota 25459449 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p002 1/2 Content-Type: application/octet-stream, base64, size: 34500, SHA1 digest: 3168e9d25b548b4b73fa62b188921648c73593c7, name: Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p002 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode-1 - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode-1: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: parts: multipart/mixed, text/plain, application/octet-stream
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: not a bounce
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline dsn_parse - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer dsn_parse: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decode_parts: level=1, #parts=3 : p001, p002, p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) running file(1) on 2 files, arglist size 23
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) run_command: [2353] /usr/bin/file p001 p002 </dev/null 2>&1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd0 closing, to become < /dev/null
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 closing, to become (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 dup2 from fd19 (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: source fd19 closed
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 closing, to become (65) &1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 dup2 from fd1 (65) &1
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p001: UTF-8 Unicode text, with CRLF line terminators\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("UTF-8 Unicode text, with CRLF line terminators") matches key "(?^i:^UTF.* Unicode text\\b)", result="txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [map_full_type_to_short_type] => true,  "UTF-8 Unicode text, with CRLF line terminators" matches, result="txt", matching_key="(?^i:^UTF.* Unicode text\\b)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p001: UTF-8 Unicode text, with CRLF line terminators; (txt)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p002: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid") matches key "(?^:^)", result="dat"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [map_full_type_to_short_type] => true,  "ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid" matches, result="dat", matching_key="(?^:^)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p002: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid; (dat)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p001 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p002 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline parts_decode - deadline in 479.9 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer parts_decode: timer 288, was 288, deadline in 479.9 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => undef, "xxx at xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_header: 0, OK
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => undef, "xxx at xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Checking for banned types and filenames
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup: (scalar) matches, result="DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_filename], 1 matches for "xxx at xxx", results: "(constant:DEFAULT)"=>"DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) collect banned table[0]: xxx at xxx, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x2764760)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) starting banned checks - traversing message structure tree
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p001) multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for xxx at xxx on multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re(["multipart/mixed","text/plain",".txt"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:xxx at xxx] => undef, ["multipart/mixed","text/plain",".txt"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=txt" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path xxx at xxx: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p002) multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for xxx at xxx on multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re(["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:xxx at xxx] => undef, ["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=Kwit_Skan.rar" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path xxx at xxx: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=dat,N=Kwit_Skan.rar"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) banned check: any=0, all=N (1)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("MAIL") matches key "(?^:^MAIL$)", result="1"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [keep_decoded_original] => true,  "MAIL" matches, result="1", matching_key="(?^:^MAIL$)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts/p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Calling virus scanners, 3 files to scan in /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) invoking av-scanner ClamAV-clamd
(…)


file Kwit_Skan.rar
Kwit_Skan.rar: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid

I try to block it:

$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  qr'^\.jse$',
  qr'^\.pif$',
  qr'^\.ace$',
  qr'^ACE archive data version.*$',

But amavisd-new still passes this ransomware archives☹

Can you help me with banning ACE archive by filetype or add support for ACE archives to amavisd (eg. by using unace)?
I’m using amavisd-new-2.11.0-3.el7.noarch on CentOS Linux release 7.4.1708

--
Best regards,
Marcin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180420/db743829/attachment.html>


More information about the amavis-users mailing list