Sorry, I really hate that keyboard shortcut which sends out emails without
prompting :)
| Than the test rar archive is unpacked correctly by amavis and the EICAR test
is
| recognized:
amavis[21724]: (21724-02) run_av (ClamAV-clamd):
/var/spool/amavisd/tmp/amavis-20200415T150826-21724-m9KBmeRk/parts INFECTED:
{HEX}EICAR.TEST.3.UNOFFICIAL
| You can For details you can check my email sent to this mailing list on 25th
| Mar. with subject:
| "malware went through because RAR file fails to unpack".
This last sentence should read:
For details you can check my email sent to this mailing list on 25th Mar. with
subject:
"malware went through because RAR file fails to unpack".
I've also tried to use the "unar" tool which is now included in the standard
epel
repositories but it seems that this is not yet supported by amavis :(
Many thanks for all the great support in this list and for any help regarding
this issue.
Cheers
Jan
----- Original Message -----
| From: "Jan Engels" <[email protected]>
| To: "Ralph Seichter" <[email protected]>
| Cc: [email protected]
| Sent: Wednesday, April 15, 2020 3:34:59 PM
| Subject: Re: amavisd and centos8 compatibility
| Hi Ralph,
|
| yes, the tools on a particular platform are independent of amavis but
| unfortunately I am currently also experiencing Problems with unrar and Amavis
| and in
| this case it seems that the problem lies on amavis side. I was running an
older
| version
| of unrar (unrar-4.2.4-1.el7.x86_64) until a malware went through our system
| because the
| RARv5 archive containing the malware could not be unpacked. So I've tried to
| upgrade the
| unrar version in our systems in order to handle RARv5 archives. The problem is
| that after
| upgrading (to unrar-5.4.0-1.el7.x86_64) I am now getting another error, such
as:
|
| amavis[21724]: (21724-01) (!)do_unrar: can't parse info line for ""
-rw-r--r--
| 68 72 105% 2020-04-15 15:01 6851CF3C eicar.com\n
|
|
| I get this error when sending a test rar archive (created by me on my ubuntu
| 16.04 desktop
| using rar version 2:5.3.b2-1) and which only contains the typical "eicar.com"
| testfile. I've
| confirmed that the rar archive is OK and I could even successfully unpack it
on
| the command
| line directly on my amavis machine. Here is the output:
|
| unrar x eicar.com.rar
|
| UNRAR 5.40 freeware Copyright (c) 1993-2016 Alexander Roshal
|
|
| Extracting from eicar.com.rar
|
| Extracting eicar.com OK
| All OK
|
|
|
| However if I send this rar archive through amavis it fails with the error
shown
| above.
|
| The amavis version running in our system is:
| amavisd-new-2.11.1-1.el7.noarch
| clamav-0.102.2-4.el7.x86_64
|
|
| If I downgrade the unrar version to the previous version:
| unrar-4.2.4-1.el7.x86_64
|
| Than the test rar archive is unpacked correctly by amavis and the EICAR test
is
| recognized:
|
|
|
| You can For details you can check my email sent to this mailing list on 25th
| Mar. with subject:
| "malware went through because RAR file fails to unpack".
|
|
|
| ----- Original Message -----
|| From: "Ralph Seichter" <[email protected]>
|| To: [email protected]
|| Sent: Thursday, April 9, 2020 10:08:16 PM
|| Subject: Re: amavisd and centos8 compatibility
|
|| * [email protected]:
||
||> tools like unrar or cabextract is not available in centos8 with
||> epel-release and enabled PowerTools.
||
|| Amavis searches the system it is running on for some well-known
|| binaries. If CentOS uses different ones, you can manually change the
|| list of binaries by modifying your amavisd.conf. Also, if you don't
|| expect to receive .zoo or .cab archives, not having extractor utilities
|| for them won't hurt much.
||
|| What tools are available on a particular platform is not an Amavis
|| issue, so I suggest you contact the CentOS package maintainers.
||
| | -Ralph
