malware went through because RAR file fails to unpack
Engels, Jan
jan.engels at desy.de
Mon Mar 23 21:24:35 CET 2020
Hi everyone,
thanks a lot for the quick reply. For now I'm just blocking rar archives from
external. My @decoders section currently looks as follows:
@decoders = (
['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii], # not safe
['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['xz', \&do_uncompress,
['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
['lzma', \&do_uncompress,
['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
['lrz', \&do_uncompress,
['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, 'lzop -d'],
['lz4', \&do_uncompress, ['lz4c -d'] ],
['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
# ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
['deb', \&do_ar, 'ar'],
# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
['rar', \&do_unrar, ['unrar', 'rar'] ],
['arj', \&do_unarj, ['unarj', 'arj'] ],
['arc', \&do_arc, ['nomarch', 'arc'] ],
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
# ['doc', \&do_ole, 'ripole'], # no ripole package so far
['cab', \&do_cabextract, 'cabextract'],
# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead
['tnef', \&do_tnef],
# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead
# ['sit', \&do_unstuff, 'unstuff'], # not safe
[['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
[['zip','kmz'], \&do_unzip],
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
[[qw(gz bz2 Z tar)],
\&do_7zip, ['7za', '7z'] ],
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip, '7z' ],
['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);
For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7
version of unrar which causes problems? I currently have the following
installed:
unrar-4.2.4-1.el7.x86_64
I will anyway try to remove the 'rar' from the list as proposed by p at rick:
['rar', \&do_unrar, ['unrar'] ],
and just leave 'unrar' to check if it helps...
@p at trick: I currently also do not have:
\&Amavis::Unpackers::do_unrar
anywhere in my list. Is that for using some amavis perl 'unrar' library?
My current amavis version is:
amavisd-new-2.11.1-1.el7.noarch
Thanks a lot for your help!
Cheers
Jan
----- Original Message -----
| From: "Patrick Ben Koetter" <p at sys4.de>
| To: amavis-users at amavis.org
| Sent: Monday, March 23, 2020 8:42:53 PM
| Subject: Re: malware went through because RAR file fails to unpack
| * Benny Pedersen <me at junc.eu>:
|> On 2020-03-23 18:01, Engels, Jan wrote:
|>
|> > i.e. malware went through amavis because the RAR archive containing
|> > the malware could not be unpacked:
|>
|> is clamav detect this virus ?
|
| Recent clamav version detect RARv5 archives and unpack them properly.
|
|
|>
|> is amavisd unpacking it, or just not detect it ?
|>
|> sorry not using amavisd here, but fuglu could have same problem
|
| --
| [*] sys4 AG
|
| https://sys4.de, +49 (89) 30 90 46 64
| Schleißheimer Straße 26/MG,80333 München
|
| Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
| Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
| Aufsichtsratsvorsitzender: Florian Kirstein
More information about the amavis-users
mailing list