Hi everyone,
I am using the latest version of amavis (2.11.1) and have configured
banned filenames to block executable files (.exe) with the following in
$banned_filename_re :
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned
extension - basic
There was a case where an attached gzip file (xxxx.gz) contained an
executable file. The gzip file contained the filename information of the
compressed file, so if a user opened the file using any windows archive
tool (winzip, 7z, winrar) he could see the executable file inside with
the .exe ending, based on the information contained in the .gz file.
I did some tests and noticed that amavis ignores the filename
information in the .gz file and assumed that the contained file's is the
same as the archive, removing the .gz extension
Enabling banning based on file(1) by adding the following in the config
file:
qr'^\.(exe|exe-ms)$', # banned file(1)
types
did catch the file, but noticed several cases of false positives, so a
cleaner, direct solution would be preferred.
I think amavis should extract the filename information contained in the
.gz file and incorporate it in the banned filename checks.
Has anyone else come across this?
During startup amavis reports in the log file the following regarding
gzip files (I have $gzip = "gzip" in the conf file):
amavis[2571]: Found decoder for .gz at /usr/bin/gzip -d
amavis[2571]: Internal decoder for .gz (backup, not used)
I also tried disabling the use of gzip, in which case the internal
decoder was used for .gz but the behavior was the same.
Regard,
Savvas Karagiannidis
