Il 11/04/2016 16:58, Thomas Jarosch ha scritto: > Hi Alessandro, > > On Monday, 11. April 2016 16:38:15 Alessandro Briosi wrote: >> > This is what is detected: >> > Apr 11 14:36:28 mail amavis[31751]: (31751-01) p003 1 Content-Type: >> > multipart/mixed >> > Apr 11 14:36:28 mail amavis[31751]: (31751-01) p001 1/1 Content-Type: >> > text/plain, size: 564 B, name: >> > Apr 11 14:36:28 mail amavis[31751]: (31751-01) p002 1/2 Content-Type: >> > application/zip, size: 59784 B, name: documento_ >> > fatturaaccompagnatoria_.pdf.zip >> > >> > which seems pretty correct to me >> > >> > No white listing I can guess of. >> > If I unzip the file and rezip it, then send an identical mail the file >> > is blocked. > the problem here is that the .exe file is not unzipped correctly. > I could reproduce the problem locally. > > We've received a similar sample virus six weeks ago and privately informed > the perl Archive::Zip maintainer. He's currently looking into it. > > I'll keep you posted once there's an update on this.
Ho, thank you. The odd thing is that it still passes if I enable the following (The #don't trust Archive::Zip part), which was commented before. @keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, qr'^Zip archive data', # don't trust Archive::Zip )); And on the server using unzip works correctly. Alessandro
