Hi again,
sorry for spamming :(
Since my problem is related to unpacking the RAR archive and I could not yet
get the
"unar" tool to work with amavis I am in the meantime searching for other
alternatives...
I've tried to update the unrar rpm (from 4.2 to 5.4) on our test system. This
seemed
to work at first, since the RAR archive containing the malware was now properly
unpacked
by amavis and the malware got recognized.
Unfortunately, now I see other problems with other (probably older?) RAR
archives?
amavis[4060]: (04060-01) File-type of p002: RAR archive data, v1d, os: Unix;
(rar)
amavis[4060]: (04060-01) decompose_part: p001 - atomic
amavis[4060]: (04060-01) Expanding RAR archive p002
amavis[4060]: (04060-01) (!)do_unrar: can't parse info line for "" -rwxr-xr-x
40 47 117% 2016-12-20 10:33 15EF6689 hello-word.py
amavis[4060]: (04060-01) Charging 47 bytes to remaining quota 521858 (out of
522000, (0%)) - by do_unrar-pre
amavis[4060]: (04060-01) do_unrar: no archive members, or not an archive at all
amavis[4060]: (04060-01) lookup [keep_decoded_original] => undef, "RAR archive
data, v1d, os: Unix" does not match
amavis[4060]: (04060-01) decompose_part: p002 - archive, unpacked
I found some threads which seem to include the same or at least similar
problems:
https://groups.google.com/forum/#!topic/mailing.unix.amavis-user/aDZYqrdXLlI
https://de.postfix.org/pipermail/postfix-users/2014-June/004219.html (in german
:P)
I've tested now using amavisd-new-2.11.1-1.el7.noarch and
unrar-5.4.0-1.el7.x86_64.
Does anyone have any experience/recommendations regarding amavisd-new and RAR
archives
under RH/CentOS?
I found this thread on including unar support in amavis:
https://bugzilla.redhat.com/show_bug.cgi?id=1517572
unfortunately the last 3 comments does not seem to be very promissing? :(
Cheers
Jan
----- Original Message -----
| From: "Jan Engels" <[email protected]>
| To: "Patrick Ben Koetter" <[email protected]>
| Cc: [email protected]
| Sent: Tuesday, March 24, 2020 1:42:23 PM
| Subject: Re: malware went through because RAR file fails to unpack
| Hi Patrick,
|
| unfortunately it didn't work. The unrar on my CentOS7 system does not seem to
be
| able to handle the newer RAR versions, i.e. extract the file containing the
| malware:
|
| $ unrar x SWIFT\ MT103\ Copy.rar
|
| UNRAR 4.20 freeware Copyright (c) 1993-2012 Alexander Roshal
|
| Unsupported archive format. Please update RAR to a newer version.
| SWIFT MT103 Copy.rar is not RAR archive
| No files to extract
|
|
|
| I could however find another Package which seems to be better for unpacking
rar
| files
| and is available on CentOS7:
|
| unar-1.10.1-1.el7.x86_64
|
| Using this tool I could extract the RAR without problems:
|
| $ unar SWIFT\ MT103\ Copy.rar
| SWIFT MT103 Copy.rar: RAR 5
| SWIFT MT103 Copy.exe (81920 B)... OK.
| Successfully extracted to "./SWIFT MT103 Copy.exe".
|
|
| Is it possible to include unar in the amavis.conf?
|
| I could not get it to work by adjusting the corresponding section:
|
|| @decoders = (
|| ['mail', \&do_mime_decode],
| ...
|| ['rar', \&do_unrar, ['unar'] ],
|
| This led to the following error:
|
| amavis[9351]: (09351-01) (!)Decoding of p002 (RAR archive data, v2d, flags:
| Commented, Solid, os: OS/2) failed, leaving it unpacked: do_unrar: can't get a
| list of archive members: exit 1; Unknown option -idcdp.
|
|
| Does anyone know if or how this can be done? I could find the -idcdp options
in
| the amavisd script:
|
| my(@common_rar_switches) = qw(-c- -p- -idcdp); # -av-
|
| can this variable somehow be switched off/overwritten in the amavis.conf file?
|
| Cheers
| Jan
|
| ----- Original Message -----
|| From: "Jan Engels" <[email protected]>
|| To: "Patrick Ben Koetter" <[email protected]>
|| Cc: [email protected]
|| Sent: Monday, March 23, 2020 9:24:35 PM
|| Subject: Re: malware went through because RAR file fails to unpack
|
|| Hi everyone,
||
|| thanks a lot for the quick reply. For now I'm just blocking rar archives from
|| external. My @decoders section currently looks as follows:
||
|| @decoders = (
|| ['mail', \&do_mime_decode],
|| # [[qw(asc uue hqx ync)], \&do_ascii], # not safe
|| ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
|| ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
|| ['gz', \&do_uncompress, 'gzip -d'],
|| ['gz', \&do_gunzip],
|| ['bz2', \&do_uncompress, 'bzip2 -d'],
|| ['xz', \&do_uncompress,
|| ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
|| ['lzma', \&do_uncompress,
|| ['lzmadec', 'xz -dc --format=lzma',
|| 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
|| ['lrz', \&do_uncompress,
|| ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
|| ['lzo', \&do_uncompress, 'lzop -d'],
|| ['lz4', \&do_uncompress, ['lz4c -d'] ],
|| ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
|| [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
|| # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
|| ['deb', \&do_ar, 'ar'],
|| # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
|| ['rar', \&do_unrar, ['unrar', 'rar'] ],
|| ['arj', \&do_unarj, ['unarj', 'arj'] ],
|| ['arc', \&do_arc, ['nomarch', 'arc'] ],
|| ['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
|| # ['doc', \&do_ole, 'ripole'], # no ripole package so far
|| ['cab', \&do_cabextract, 'cabextract'],
|| # ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead
|| ['tnef', \&do_tnef],
|| # ['lha', \&do_lha, 'lha'], # not safe, use 7z instead
|| # ['sit', \&do_unstuff, 'unstuff'], # not safe
|| [['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
|| [['zip','kmz'], \&do_unzip],
|| ['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
|| [[qw(gz bz2 Z tar)],
|| \&do_7zip, ['7za', '7z'] ],
|| [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
|| \&do_7zip, '7z' ],
|| ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
|| );
||
|| For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7
|| version of unrar which causes problems? I currently have the following
|| installed:
||
|| unrar-4.2.4-1.el7.x86_64
||
|| I will anyway try to remove the 'rar' from the list as proposed by p@rick:
|| ['rar', \&do_unrar, ['unrar'] ],
||
|| and just leave 'unrar' to check if it helps...
||
|| @p@trick: I currently also do not have:
||
|| \&Amavis::Unpackers::do_unrar
||
|| anywhere in my list. Is that for using some amavis perl 'unrar' library?
||
|| My current amavis version is:
||
|| amavisd-new-2.11.1-1.el7.noarch
||
|| Thanks a lot for your help!
||
|| Cheers
|| Jan
||
||
|| ----- Original Message -----
||| From: "Patrick Ben Koetter" <[email protected]>
||| To: [email protected]
||| Sent: Monday, March 23, 2020 8:42:53 PM
||| Subject: Re: malware went through because RAR file fails to unpack
||
||| * Benny Pedersen <[email protected]>:
|||> On 2020-03-23 18:01, Engels, Jan wrote:
|||>
|||> > i.e. malware went through amavis because the RAR archive containing
|||> > the malware could not be unpacked:
|||>
|||> is clamav detect this virus ?
|||
||| Recent clamav version detect RARv5 archives and unpack them properly.
|||
|||
|||>
|||> is amavisd unpacking it, or just not detect it ?
|||>
|||> sorry not using amavisd here, but fuglu could have same problem
|||
||| --
||| [*] sys4 AG
|||
||| https://sys4.de, +49 (89) 30 90 46 64
||| Schleißheimer Straße 26/MG,80333 München
|||
||| Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
||| Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
| | | Aufsichtsratsvorsitzender: Florian Kirstein
