Better antivirus (AV) protection?

[infoomatic]

out of interest, did clamav detect the local content?


On 05.04.22 11:29, Nikolaos Milas wrote:
> On 5/4/2022 11:17 π.μ., Damian wrote:
>> How do you know that they are infected? Is your setup not detecting
>> those viruses because neither Amavis nor ClamAV look inside the 7z
>> archive, or because ClamAV has no signatures for them?
>
> Thank you Damian for the reply,
>
> For testing purposes, I downloaded and scanned the content locally,
> using Avira (which I have on my PC), which detected:
>
>    TR/Injector.5079db
>
> (But even if it had not been detected, we would be sure the attachment
> would contain a virus. No malicious sender would ever send a crafted
> mail with a clean exe attachment!)
>
> But you are right in that amavis did NOT actually manage to open the
> 7zip archive. I only now noticed in the log:
>
> Apr  5 09:29:09 mailgw1 amavis[3127956]: (3127956-10) (!)Decoding of
> p002 (RAR archive data, v5) failed, leaving it unpacked: do_7zip:
> can't get a list of archive members: exit 2; Errors: 1
>
> I found that in all cases with 7z extension we get the above error.
>
> Question 1:  Is there something wrong in the configuration that does
> not allow 7z scanning or probably an additional software library is
> needed?
>
> Question 1A: If a decoder fails, could amavis be explicitly configured
> to try more decoders?
>
> My amavis "decoders" config section is:
>
> @decoders = (
>   ['mail', \&do_mime_decode],
> # [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
>   ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
>   ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
>   ['gz',   \&do_uncompress, 'gzip -d'],
>   ['gz',   \&do_gunzip],
>   ['bz2',  \&do_uncompress, 'bzip2 -d'],
>   ['xz',   \&do_uncompress,
>            ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
>   ['lzma', \&do_uncompress,
>            ['lzmadec', 'xz -dc --format=lzma',
>             'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
> #  ['lrz',  \&do_uncompress,
> #           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
>   ['lzo',  \&do_uncompress, 'lzop -d'],
>   ['lz4',  \&do_uncompress, ['lz4c -d'] ],
>   ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
>   [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
>            # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
>   ['deb',  \&do_ar, 'ar'],
> # ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
>   ['rar',  \&do_unrar, ['unrar', 'rar'] ],
>   ['arj',  \&do_unarj, ['unarj', 'arj'] ],
>   ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
>   ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
> # ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
>   ['cab',  \&do_cabextract, 'cabextract'],
> # ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
>   ['tnef', \&do_tnef],
> # ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
> # ['sit',  \&do_unstuff, 'unstuff'],  # not safe
>   [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
>   [['zip','kmz'], \&do_unzip],
>   ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
>   [[qw(gz bz2 Z tar)],
>            \&do_7zip,  ['7za', '7z'] ],
>   [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
>            \&do_7zip,  '7z' ],
>   ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
> );
>
> Question 2: Could the config be corrected to process 7z attachments
> correctly?
>
> As a final note: I was misled by the fact that in the mail headers the
> mail was reported as scanned and not as undecipherable.
>
>    X-Virus-Scanned: amavisd-new at noa.gr
>
> Question 3: How can we configure amavis to report such mails (which
> failed to open for scanning) as undecipherable?
>
> Thanks a lot,
> Nick
>