Better antivirus (AV) protection?

[Nikolaos Milas]

On 5/4/2022 11:17 π.μ., Damian wrote:
> How do you know that they are infected? Is your setup not detecting 
> those viruses because neither Amavis nor ClamAV look inside the 7z 
> archive, or because ClamAV has no signatures for them?

Thank you Damian for the reply,

For testing purposes, I downloaded and scanned the content locally, 
using Avira (which I have on my PC), which detected:

    TR/Injector.5079db

(But even if it had not been detected, we would be sure the attachment 
would contain a virus. No malicious sender would ever send a crafted 
mail with a clean exe attachment!)

But you are right in that amavis did NOT actually manage to open the 
7zip archive. I only now noticed in the log:

Apr  5 09:29:09 mailgw1 amavis[3127956]: (3127956-10) (!)Decoding of 
p002 (RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't 
get a list of archive members: exit 2; Errors: 1

I found that in all cases with 7z extension we get the above error.

Question 1:  Is there something wrong in the configuration that does not 
allow 7z scanning or probably an additional software library is needed?

Question 1A: If a decoder fails, could amavis be explicitly configured 
to try more decoders?

My amavis "decoders" config section is:

@decoders = (
   ['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
   ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
   ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
   ['gz',   \&do_uncompress, 'gzip -d'],
   ['gz',   \&do_gunzip],
   ['bz2',  \&do_uncompress, 'bzip2 -d'],
   ['xz',   \&do_uncompress,
            ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
   ['lzma', \&do_uncompress,
            ['lzmadec', 'xz -dc --format=lzma',
             'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
#  ['lrz',  \&do_uncompress,
#           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
   ['lzo',  \&do_uncompress, 'lzop -d'],
   ['lz4',  \&do_uncompress, ['lz4c -d'] ],
   ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
   [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
            # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
   ['deb',  \&do_ar, 'ar'],
# ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
   ['rar',  \&do_unrar, ['unrar', 'rar'] ],
   ['arj',  \&do_unarj, ['unarj', 'arj'] ],
   ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
   ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
# ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
   ['cab',  \&do_cabextract, 'cabextract'],
# ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
   ['tnef', \&do_tnef],
# ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
# ['sit',  \&do_unstuff, 'unstuff'],  # not safe
   [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
   [['zip','kmz'], \&do_unzip],
   ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
   [[qw(gz bz2 Z tar)],
            \&do_7zip,  ['7za', '7z'] ],
   [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
            \&do_7zip,  '7z' ],
   ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);

Question 2: Could the config be corrected to process 7z attachments 
correctly?

As a final note: I was misled by the fact that in the mail headers the 
mail was reported as scanned and not as undecipherable.

    X-Virus-Scanned: amavisd-new at noa.gr

Question 3: How can we configure amavis to report such mails (which 
failed to open for scanning) as undecipherable?

Thanks a lot,
Nick