malware went through because RAR file fails to unpack

Engels, Jan jan.engels at desy.de
Tue Mar 24 13:42:23 CET 2020 

Hi Patrick,

unfortunately it didn't work. The unrar on my CentOS7 system does not seem to be
able to handle the newer RAR versions, i.e. extract the file containing the malware:

$ unrar x SWIFT\ MT103\ Copy.rar 

UNRAR 4.20 freeware      Copyright (c) 1993-2012 Alexander Roshal

Unsupported archive format. Please update RAR to a newer version.
SWIFT MT103 Copy.rar is not RAR archive
No files to extract



I could however find another Package which seems to be better for unpacking rar files
and is available on CentOS7:

unar-1.10.1-1.el7.x86_64

Using this tool I could extract the RAR without problems:

$ unar SWIFT\ MT103\ Copy.rar 
SWIFT MT103 Copy.rar: RAR 5
  SWIFT MT103 Copy.exe  (81920 B)... OK.
Successfully extracted to "./SWIFT MT103 Copy.exe".


Is it possible to include unar in the amavis.conf?

I could not get it to work by adjusting the corresponding section:

| @decoders = (
|  ['mail', \&do_mime_decode],
...
|  ['rar',  \&do_unrar, ['unar'] ],

This led to the following error:

amavis[9351]: (09351-01) (!)Decoding of p002 (RAR archive data, v2d, flags: Commented, Solid, os: OS/2) failed, leaving it unpacked: do_unrar: can't get a list of archive members: exit 1; Unknown option -idcdp. 


Does anyone know if or how this can be done? I could find the -idcdp options in the amavisd script:

  my(@common_rar_switches) = qw(-c- -p- -idcdp);  # -av-

can this variable somehow be switched off/overwritten in the amavis.conf file?

Cheers
Jan

----- Original Message -----
| From: "Jan Engels" <jan.engels at desy.de>
| To: "Patrick Ben Koetter" <p at sys4.de>
| Cc: amavis-users at amavis.org
| Sent: Monday, March 23, 2020 9:24:35 PM
| Subject: Re: malware went through because RAR file fails to unpack

| Hi everyone,
| 
| thanks a lot for the quick reply. For now I'm just blocking rar archives from
| external. My @decoders section currently looks as follows:
| 
| @decoders = (
|  ['mail', \&do_mime_decode],
| # [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
|  ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
|  ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
|  ['gz',   \&do_uncompress, 'gzip -d'],
|  ['gz',   \&do_gunzip],
|  ['bz2',  \&do_uncompress, 'bzip2 -d'],
|  ['xz',   \&do_uncompress,
|           ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
|  ['lzma', \&do_uncompress,
|           ['lzmadec', 'xz -dc --format=lzma',
|            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
|  ['lrz',  \&do_uncompress,
|           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
|  ['lzo',  \&do_uncompress, 'lzop -d'],
|  ['lz4',  \&do_uncompress, ['lz4c -d'] ],
|  ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
|  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
|           # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
|  ['deb',  \&do_ar, 'ar'],
| # ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
|  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
|  ['arj',  \&do_unarj, ['unarj', 'arj'] ],
|  ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
|  ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
| # ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
|  ['cab',  \&do_cabextract, 'cabextract'],
| # ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
|  ['tnef', \&do_tnef],
| # ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
| # ['sit',  \&do_unstuff, 'unstuff'],  # not safe
|  [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
|  [['zip','kmz'], \&do_unzip],
|  ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
|  [[qw(gz bz2 Z tar)],
|           \&do_7zip,  ['7za', '7z'] ],
|  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
|           \&do_7zip,  '7z' ],
|  ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
| );
| 
| For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7
| version of unrar which causes problems? I currently have the following
| installed:
| 
| unrar-4.2.4-1.el7.x86_64
| 
| I will anyway try to remove the 'rar' from the list as proposed by p at rick:
|  ['rar',  \&do_unrar, ['unrar'] ],
| 
| and just leave 'unrar' to check if it helps...
| 
| @p at trick: I currently also do not have:
| 
| \&Amavis::Unpackers::do_unrar
| 
| anywhere in my list. Is that for using some amavis perl 'unrar' library?
| 
| My current amavis version is:
| 
| amavisd-new-2.11.1-1.el7.noarch
| 
| Thanks a lot for your help!
| 
| Cheers
| Jan
| 
| 
| ----- Original Message -----
|| From: "Patrick Ben Koetter" <p at sys4.de>
|| To: amavis-users at amavis.org
|| Sent: Monday, March 23, 2020 8:42:53 PM
|| Subject: Re: malware went through because RAR file fails to unpack
| 
|| * Benny Pedersen <me at junc.eu>:
||> On 2020-03-23 18:01, Engels, Jan wrote:
||> 
||> > i.e. malware went through amavis because the RAR archive containing
||> > the malware could not be unpacked:
||> 
||> is clamav detect this virus ?
|| 
|| Recent clamav version detect RARv5 archives and unpack them properly.
|| 
|| 
||> 
||> is amavisd unpacking it, or just not detect it ?
||> 
||> sorry not using amavisd here, but fuglu could have same problem
|| 
|| --
|| [*] sys4 AG
|| 
|| https://sys4.de, +49 (89) 30 90 46 64
|| Schleißheimer Straße 26/MG,80333 München
|| 
|| Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
|| Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
| | Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list