malware went through because RAR file fails to unpack

Engels, Jan jan.engels at
Mon Mar 23 21:24:35 CET 2020

Hi everyone,

thanks a lot for the quick reply. For now I'm just blocking rar archives from
external. My @decoders section currently looks as follows:

@decoders = (
  ['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
  ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
  ['gz',   \&do_uncompress, 'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress, 'bzip2 -d'],
  ['xz',   \&do_uncompress,
           ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
  ['lzma', \&do_uncompress,
           ['lzmadec', 'xz -dc --format=lzma',
            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
  ['lrz',  \&do_uncompress,
           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
  ['lzo',  \&do_uncompress, 'lzop -d'],
  ['lz4',  \&do_uncompress, ['lz4c -d'] ],
  ['rpm',  \&do_uncompress, ['', 'rpm2cpio'] ],
  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
           # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
  ['deb',  \&do_ar, 'ar'],
# ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
  ['arj',  \&do_unarj, ['unarj', 'arj'] ],
  ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
  ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
# ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
  ['cab',  \&do_cabextract, 'cabextract'],
# ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
  ['tnef', \&do_tnef],
# ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
# ['sit',  \&do_unstuff, 'unstuff'],  # not safe
  [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
  [['zip','kmz'], \&do_unzip],
  ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
  [[qw(gz bz2 Z tar)],
           \&do_7zip,  ['7za', '7z'] ],
  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
           \&do_7zip,  '7z' ],
  ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],

For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7
version of unrar which causes problems? I currently have the following


I will anyway try to remove the 'rar' from the list as proposed by p at rick:
  ['rar',  \&do_unrar, ['unrar'] ],

and just leave 'unrar' to check if it helps...

@p at trick: I currently also do not have:


anywhere in my list. Is that for using some amavis perl 'unrar' library?

My current amavis version is:


Thanks a lot for your help!


----- Original Message -----
| From: "Patrick Ben Koetter" <p at>
| To: amavis-users at
| Sent: Monday, March 23, 2020 8:42:53 PM
| Subject: Re: malware went through because RAR file fails to unpack

| * Benny Pedersen <me at>:
|> On 2020-03-23 18:01, Engels, Jan wrote:
|> > i.e. malware went through amavis because the RAR archive containing
|> > the malware could not be unpacked:
|> is clamav detect this virus ?
| Recent clamav version detect RARv5 archives and unpack them properly.
|> is amavisd unpacking it, or just not detect it ?
|> sorry not using amavisd here, but fuglu could have same problem
| --
| [*] sys4 AG
|, +49 (89) 30 90 46 64
| Schleißheimer Straße 26/MG,80333 München
| Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
| Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
| Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list