malware went through because RAR file fails to unpack
Patrick Ben Koetter
p at sys4.de
Mon Mar 23 19:34:42 CET 2020
Hi Jan,
* Engels, Jan <jan.engels at desy.de>:
> Hi everyone,
>
> I've experienced today the same problem as described here:
>
> https://lists.amavis.org/pipermail/amavis-users/2016-May/004334.html
>
> i.e. malware went through amavis because the RAR archive containing the malware could not be unpacked:
>
> extract from logfile:
> amavis[4629]: (04629-01) (!)Decoding of p002 (RAR archive data, v2d, flags: Commented, Solid, os: OS/2) failed, leaving it unpacked: do_unrar: /var/spool/amavisd/tmp/amavis-20200323T174309-04629-o4cSZwti/parts/p002 is not RAR archive at (eval 133) line 1056.
the problem usually is that amavis uses the wrong unpacker i.e. an unpacker
that can't handle RARv5 archives. You can change that by telling amavis to
prefer 'unrar' over 'rar', which it usually would check for first and use if
found.
Take a look at @decoders and put only 'unrar' in the list of decoders amavis
should use to unpack RAR files:
@decoders = ( ['mail', \&Amavis::Unpackers::do_mime_decode],
['rar', \&Amavis::Unpackers::do_unrar, ['unrar'] ]
);
Of course check that 'unrar' has been installed, before. :)
p at rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the amavis-users
mailing list