Jim Wrote:
> What is meant with this message? An error?
> do_executable/do_unzip failed, ignoring: format error: bad
> signature: 0x00905a4d at offset 0 in file
> /var/lib/amavis/tmp/amavis-20051126T230808-11812/parts/p003
I see in the source code that the error happens when amavisd-new
uses unzip to determine if an executable file is a self-extracting
archive:
# Check for self-extracting archives. Note that we don't rely on
# file magic here since it's not reliable. Instead we will try each
# archiver.
sub do_executable($$@) {
my($part, $tempdir, $unrar, $lha, $unarj) = @_;
ll(4) && do_log(4,"Check whether ".$part->base_name.
" is a self-extracting archive");
# ZIP?
return 2 if eval { do_unzip($part,$tempdir) };
chomp($@);
do_log(-1,"do_executable/do_unzip failed, ignoring: $@") if $@ ne '';
# RAR?
return 2 if defined $unrar && eval { do_unrar($part,$tempdir,$unrar) };
chomp($@);
do_log(-1,"do_executable/do_unrar failed, ignoring: $@") if $@ ne '';
# LHA?
return 2 if defined $lha && eval { do_lha($part,$tempdir,$lha) };
chomp($@);
do_log(-1,"do_executable/do_lha failed, ignoring: $@") if $@ ne '';
return 0;
}
In my case, the executable it worked on was extracted from
a zipped attachment and that executable contains a virus. Unzip
reports a problem with the format of the file.
Since evidence is not preserved with this error, a person would need to
quarantine the virus, then extract the executable out, then manually test
that with unzip, unrar and lha.
Question is: if you have a virus inside an executable file inside a
zipped file, and that executable is itself a self-extracting archive,
would an anti-virus vendor make a signature for the executable file as
it sits, or would they create a signature for what the self-extracting
archive extracts out to?
For the viruses that have produced this error for me, all of them were
detected by ClamAV. I don't know if the signature was found in the exe
or whether the exe was in fact extracted out to another level and the
virus was found there. To be safe, I would recommend unrar and lha are
installed if they are not now.
I have both unrar and lha installed, and neither of them have ever complained.
Because ClamAV had no problem detecting the virus, I have not
preserved any evidence either.
Gary V
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
