-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Update your "file" package to the latest version.
could be that your file does not detect .zip as zip file and did't unpack the zip. Simply check the result of "file $filename.zip" if result is Zip archive data.. Cheers On 05/27/2015 11:22 PM, Thomas Spuhler wrote: > On Wednesday, May 27, 2015 11:13:25 PM Konstantin wrote: >> Hi, >> >> Today I found the same behaviour with following zip file. >> In $log_level=5 i see that amavis see content of zip archive >> (Docs-5280.exe) but did not block it. >> If I extract the Docs-5280.exe file and place it into another zip file, >> that zip file is correctly identified as >> containing an .exe, and rejected by the server. >> >> Can anyone make a test from your side? >> >> I have CentOS 6 with amavisd-new-2.8.0 >> >> == THE CONTAINED EXE FILE CONTAINS TROJAN == >> Original file: https://www.dropbox.com/s/b831empj0t8vz7f/invoice.zip?dl=0 >> >> Thank you. >> >> 2015-04-24 1:08 GMT+03:00 Thomas Spuhler <thomas.spuh...@btspuhler.com>: >>> On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote: >>>> Hello, >>>> >>>> This morning our mailserver (Postfix+Amavis) had a virus pass through to >>>> our users. The file was an .exe file within a .zip file. The server is >>>> configured to block .exe files with $banned_filename_re, but this one >>>> slipped by. After setting $log_level to 5, it seems that the ZIP file >>>> was never decoded by amavis, but allowed to pass unscanned. ClamAV >>>> missed the virus as well, but it should have never made it to that point >>>> anyway. The strangest thing is, if I extract the .exe file and place it >>>> into a "new" zip file, that zip file is correctly identified as >>>> containing an .exe, and blocked by the server. >>>> >>>> I've gone so far as to override the default zip decoding, using 7zip: >>>> @decoders = ( >>>> >>>> ['zip', \&do_7zip, ['7z', '7za'] ] >>>> >>>> ); >>>> >>>> and the same behaviour is exhibited. >>>> >>>> Versions: >>>> Ubuntu 10.04 >>>> amavisd-new-2.6.4 >>>> >>>> I realize this version is quite out of date, and that may be the >>>> ultimate cause of the issue (working on testing this theory), but in >>>> case it isn't I wanted to let someone know. >>>> >>>> I've made available the original and "new" zip files on Dropbox: >>>> == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST == >>>> Original: https://www.dropbox.com/s/modnz533k4swum7/Original.zip >>>> New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip >>> >>> The exe file is detected here. >>> I downloaded your Original.zip from the dropbox and attached it to an >>> e-mail I sent to myself. >>> See the attachment what happened. >>> Of course, it didn't find the virus since the exe file was blocked before >>> it go to the virus scanner >>> >>> -- >>> Best regards >>> Thomas Spuhler >>> >>> All of my e-mails have a valid digital signature >>> ID 60114E63 > > Konstantin: > I downloaded the zip file from your link. Attached it to an e-mail to my wife's e-mail address (same > server as mine) and the e-mail didn't get delivered. I got a message (as admin) that it was > rejected. > See the details of the message in the attachment. Do you really have an unzip program installed? > I am using p7zip-9.20.1 for it. and for .exe /usr/bin/lha > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJVZuOZAAoJEAoTNwRDnEhRXDcIAJe+mVhdb6ADaHT4NVv7I5sW sDz0pozLedmeidjfgLxDroGgW/DFJ0eYAcD45vnsfBsGnTpyjVX8YXOh603ffXLw tHFtfxFQ8TnAojQAcURc5gGbTYsNzDBZA0bybUiyhP1eo7H5beWcpxkJLra4weLJ 7qwj2r+LfiA43ayUEr5aOSr+y2nL18JeRexfUCE8wQ6OJM2LHxJ/mXdgpKM3R9xf JtrFDjSHYXe7lpGtrBld5e2UbGTiQDfHCBV75WeNkzTMdxMPCWkSzLfAFXHuVXvQ Cwgxr6J5niqcBnB2AE+8LiI89mFpJoYyjhn4DBdzcBVNxEUykMCG6qOQs6eO+9U= =kDqy -----END PGP SIGNATURE-----
