Clamav detects that it is a ArcBomb, aka alot of packed file in a packed file. :)
first time, amavis hit a limit second time, clamav found a "trojan". working as intended! (IMHO) On fre 30 aug 2013 15:24:15, Ralf Hildebrandt via amavis-users wrote: > Sending 42.zip directly (as an attachment) using mutt yields these log > entries: > > Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) Checking: epOf5UUVRRlo > [141.42.206.36] <[email protected]> -> <[email protected]> > Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p003 1 Content-Type: > multipart/mixed > Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p001 1/1 Content-Type: > text/plain, size: 286 B, name: > Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p002 1/2 Content-Type: > application/zip, size: 42374 B, name: 42.zip > Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 785 (out > of 4096) files, arglist size 3999 > Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out > of 4096) files, arglist size 3997 > Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out > of 4096) files, arglist size 3997 > Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out > of 4096) files, arglist size 3997 > Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out > of 4096) files, arglist size 3997 > Aug 30 15:15:21 mail2 amavis[20373]: (20373-05) running file(1) on 655 (out > of 4096) files, arglist size 3943 > Aug 30 15:15:47 mail2 amavis[20373]: (20373-05) Decoding of p651 (Zip archive > data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: Maximum > number of files (6000) exceeded at /usr/sbin/amavisd line 8862. > Aug 30 15:15:50 mail2 amavis[20373]: (20373-05) NOTICE: Virus scanning > skipped: do_7zip: Maximum number of files (6000) exceeded at > /usr/sbin/amavisd line 8862. > Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)NOTICE: HOLD reason: > do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line > 8862. > Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)Inserting header field: > X-Amavis-Hold: do_7zip: Maximum number of files (6000) exceeded at > /usr/sbin/amavisd line 8862. > > Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) FWD from > <[email protected]> -> <[email protected]>,RET=FULL > BODY=8BITMIME 250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: > queued as 3cRLm84d8CzBrfR > Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) Passed UNCHECKED > {RelayedInternal}, LOCAL [141.42.206.36]:34055 [141.42.206.36] > <[email protected]> -> <[email protected]>, Message-ID: > <[email protected]>, mail_id: epOf5UUVRRlo, Hits: > -4.495, size: 59440, queued_as: 3cRLm84d8CzBrfR, dkim_new=default:charite.de, > 45416 ms > > So, the mail is unpacked until the file number limit is reached, after > that it's being "Passed UNCHECKED". So far, so good. > > > But if I create an email from it using mpack ( using: > mpack -s 42.zip -o 42.zip.txt 42.zip ) > and attach THAT in mutt -- (so basically creating a message/rfc822 > attachment!) , I'm immediately getting: > > Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) Checking: g0LIka1nMAeD > [141.42.206.36] <[email protected]> -> <[email protected]> > Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p003 1 Content-Type: > multipart/mixed > Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p001 1/1 Content-Type: > text/plain, size: 277 B, name: > Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p002 1/2 Content-Type: > text/plain, size: 57784 B, name: 01_sample-42-mail-bomb.txt > Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) run_av (ClamAV-clamd): > /var/amavis/amavis-20130830T150440-17731-M00LkpB7/parts INFECTED: > Trojan.ArcBomb-1, Trojan.ArcBomb-1 > Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) virus_scan: > (Trojan.ArcBomb-1), detected by 1 scanners: ClamAV-clamd > Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) header_edits_for_quar: > <[email protected]> -> <[email protected]>, No, score=x tag=x > tag2=x kill=x tests=[] autolearn=unavailable > Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) Blocked INFECTED > (Trojan.ArcBomb-1) {RejectedInternal,Quarantined}, LOCAL > [141.42.206.36]:33827 [141.42.206.36] <[email protected]> -> > <[email protected]>, Message-ID: <[email protected]>, > mail_id: g0LIka1nMAeD, Hits: -, size: 59938, 1091 ms > > But why? The 42.zip "inside" is still the same!? >
signature.asc
Description: OpenPGP digital signature
