AW: Encrypted rar

Grooz, Marc (regio iT) Marc.Grooz at regioit.de
Thu Nov 8 12:21:36 CET 2018 

Hi,

we found that this could be a solution?

diff -U5 /usr/sbin/amavisd-new.bak /usr/sbin/amavisd-new

--- /usr/sbin/amavisd-new.bak    2018-11-08 11:58:36.300181125 +0100
+++ /usr/sbin/amavisd-new    2018-11-08 11:50:58.262021510 +0100

@@ -31605,10 +31605,15 @@

     } elsif (proc_status_ok($rv,$err, 3)) {  # CRC_ERROR
       # NOTE: password protected files in the archive cause CRC_ERROR
       do_log(4,"do_unrar: CRC_ERROR - undecipherable, %s",
                exit_status_str($rv,$err));
       $part->attributes_add('U');
+    } elsif (proc_status_ok($rv,$err, 11)) {  # ENCRYPT_ERROR
+      do_log(4,"do_unrar: maybe PROTECTED ARCHIVE - undecipherable, %s",
+               exit_status_str($rv,$err));
+      $part->attributes_add('U');
     } elsif (proc_status_ok($rv,$err, 1) && @list && $bytes > 0) {
                                              # WARNING, probably still ok
       do_log(4,"do_unrar: warning, %s", exit_status_str($rv,$err));
     } elsif (!proc_status_ok($rv,$err)) {
       die("can't get a list of archive members: " .



Von: Grooz, Marc (regio iT)
Gesendet: Donnerstag, 8. November 2018 10:07
An: 'amavis-users at amavis.org' <amavis-users at amavis.org>
Betreff: Encrypted rar

Hi,

I have a case where a encrypted rar archiv isn't blocked by amavis becouse the filelist is also crypted.

For example:

(!)Decoding of p003 (RAR archive data, v6f,) failed, leaving it unpacked: do_unrar: can't get a list of archive members: exit 11; 0 files
p.path test at example.org<mailto:test at example.org>: "P=p004,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/x-rar-compressed,T=rar,N=twain_32_verschluesselt.rar", matching_key="(?^:^\\.(zip|rar|arc|arj|zoo|7z)$)"
p003 1/2 Content-Type: application/x-rar-compressed, base64, size: 30206, SHA1 digest: 7a818f8ab8d5b1a97a3594367585b7f983b6db68, name: twain_32_verschluesselt.rar

Blocking rar archives where the filelist isn't encrypted is no problem.

How could amavis block such archives without blocking all rar types?

Regards Marc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20181108/0222e211/attachment.html>

More information about the amavis-users mailing list