Better antivirus (AV) protection?
Benny Pedersen
me at junc.eu
Wed Apr 6 00:08:25 CEST 2022
On 2022-04-05 23:20, Nikolaos Milas wrote:
> On 5/4/2022 11:06 μ.μ., Bastian Blank wrote:
>> This is no 7z file, the same as was already reported here.
>
> Exactly. However the problem was solved, as you may see in the last
> mails of the thread, by installing unrar on the OS.
sure, my point is unrar is part of clamav, not the os, with i just say
gentoo clamav have libunrar in clamav core, other distros it may default
disabled in, so you need to do unsecure unpack in amavisd to scan
malware, good point for maintainers that disabled unrar in clamav
> The malicious sender, as was mentioned earlier, tries to confuse
> scanners by deliberately using a wrong extension, to push the
> attachment without scanning.
yes, thats why amavisd uses file to file type detection :=)
note i dont use amavisd anymore, but changed to more simple setup for me
fuglu
> Amavis identifies correctly the type of the compressed archive and
> uses the right decoder (if available).
not a problem on heavy loads
> The real problem, in the end, is that the virus is not detected in the
> infected file by ClamAV (after archive decoding). Is it effective and
> efficient to use two mail scanners back-to-back?
foxhole is good in clamav
>> I would just ban rar files outright.
>
> I would hesitate to drop RAR, as it is a compression format we respect
> and use and the fact that some malicious parties use it is no
> sufficient reason for dropping it, I think.
malware will use any packing format to hide for content scanners,
disable rar support in any malware scanners only helps nothing
> My 2c.
dont know how many € this is :=)
More information about the amavis-users
mailing list