On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote: > Hi, > > Today I found the same behaviour with following zip file. > In $log_level=5 i see that amavis see content of zip archive > (Docs-5280.exe) but did not block it. > If I extract the Docs-5280.exe file and place it into another zip file, > that zip file is correctly identified as > containing an .exe, and rejected by the server. > > Can anyone make a test from your side? > > I have CentOS 6 with amavisd-new-2.8.0 > > == THE CONTAINED EXE FILE CONTAINS TROJAN => Original file: > https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0 > > Thank you. > > 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <thomas.spuh...@btspuhler.com>: > > On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote: > > > Hello, > > > > > > This morning our mailserver (Postfix+Amavis) had a virus pass through to > > > our users. The file was an .exe file within a .zip file. The server is > > > configured to block .exe files with $banned_filename_re, but this one > > > slipped by. After setting $log_level to 5, it seems that the ZIP file > > > was never decoded by amavis, but allowed to pass unscanned. ClamAV > > > missed the virus as well, but it should have never made it to that point > > > anyway. The strangest thing is, if I extract the .exe file and place it > > > into a "new" zip file, that zip file is correctly identified as > > > containing an .exe, and blocked by the server. > > > > > > I've gone so far as to override the default zip decoding, using 7zip: > > > @decoders = ( > > > > > > ['zip', \&do_7zip, ['7z', '7za'] ] > > > > > > ); > > > > > > and the same behaviour is exhibited. > > > > > > Versions: > > > Ubuntu 10.04 > > > amavisd-new-2.6.4 > > > > > > I realize this version is quite out of date, and that may be the > > > ultimate cause of the issue (working on testing this theory), but in > > > case it isn't I wanted to let someone know. > > > > > > I've made available the original and "new" zip files on Dropbox: > > > == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST => > > > > > Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip > > > New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip > > > > The exe file is detected here. > > I downloaded your Original.zip from the dropbox and attached it to an > > e-mail I sent to myself. > > See the attachment what happened. > > Of course, it didn't find the virus since the exe file was blocked before > > it go to the virus scanner > > > > -- > > Best regards > > Thomas Spuhler > > > > All of my e-mails have a valid digital signature > > ID 60114E63
Konstantin: I downloaded the zip file from your link. Attached it to an e-mail to my wife's e-mail address (same server as mine) and the e-mail didn't get delivered. I got a message (as admin) that it was rejected. See the details of the message in the attachment. Do you really have an unzip program installed? I am using p7zip-9.20.1 for it. and for .exe /usr/bin/lha -- Best regards Thomas Spuhler All of my e-mails have a valid digital signature ID 60114E63
ZIP_Exe.pdf
Description: Adobe PDF document
signature.asc
Description: This is a digitally signed message part.
