malware went through because RAR file fails to unpack

Patrick Ben Koetter p at
Mon Mar 23 19:34:42 CET 2020

Hi Jan,

* Engels, Jan <jan.engels at>:
> Hi everyone,
> I've experienced today the same problem as described here:
> i.e. malware went through amavis because the RAR archive containing the malware could not be unpacked:
> extract from logfile:
> amavis[4629]: (04629-01) (!)Decoding of p002 (RAR archive data, v2d, flags: Commented, Solid, os: OS/2) failed, leaving it unpacked: do_unrar: /var/spool/amavisd/tmp/amavis-20200323T174309-04629-o4cSZwti/parts/p002 is not RAR archive at (eval 133) line 1056.

the problem usually is that amavis uses the wrong unpacker i.e. an unpacker
that can't handle RARv5 archives. You can change that by telling amavis to
prefer 'unrar' over 'rar', which it usually would check for first and use if

Take a look at @decoders and put only 'unrar' in the list of decoders amavis
should use to unpack RAR files:

@decoders = ( ['mail', \&Amavis::Unpackers::do_mime_decode],
    ['rar',  \&Amavis::Unpackers::do_unrar, ['unrar'] ]

Of course check that 'unrar' has been installed, before. :)

p at rick

[*] sys4 AG, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list