Discussion:
This zip file passes the .exe banning why?
(too old to reply)
Alessandro Briosi
2016-04-11 13:18:11 UTC
Permalink
Hi all,
The file you can find here [1] bypasses amavis extensions checks.

In my configuration .exe are banned (even inside .zip files)

Though for some reasons this .zip passes.

I also have checks for double extensions which on normal files work
(still even within .zip files)
I also tryed renaming the file (leaving the .zip)

This one bypasses the checks and I'm probably too dumb to find out why.

Any help would be appreciated.

**N.B. Obviously it's a virus so do not execute the file!!!!!!**

Thanks,
Alessandro

[1] http://www.metalit.net/ou/?a=d&i=ExtH8JVh
Dino Edwards
2016-04-11 13:46:37 UTC
Permalink
Can you paste your banned file configuration?



From: amavis-users [mailto:amavis-users-bounces+dino.edwards=***@amavis.org] On Behalf Of Alessandro Briosi
Sent: Monday, April 11, 2016 9:18 AM
To: amavis-***@amavis.org
Subject: This zip file passes the .exe banning why?

Hi all,
The file you can find here [1] bypasses amavis extensions checks.

In my configuration .exe are banned (even inside .zip files)

Though for some reasons this .zip passes.

I also have checks for double extensions which on normal files work (still even within .zip files)
I also tryed renaming the file (leaving the .zip)

This one bypasses the checks and I'm probably too dumb to find out why.
Any help would be appreciated.

*N.B. Obviously it's a virus so do not execute the file!!!!!!*

Thanks,
Alessandro

[1] http://www.metalit.net/ou/?a=d&i=ExtH8JVh
Thomas Jarosch
2016-04-11 13:39:58 UTC
Permalink
Hi Alessandro,
Post by Alessandro Briosi
The file you can find here [1] bypasses amavis extensions checks.
In my configuration .exe are banned (even inside .zip files)
Though for some reasons this .zip passes.
I also have checks for double extensions which on normal files work
(still even within .zip files)
I also tryed renaming the file (leaving the .zip)
This one bypasses the checks and I'm probably too dumb to find out why.
Any help would be appreciated.
**N.B. Obviously it's a virus so do not execute the file!!!!!!**
two things you could try:

1. Test if .exe detection in .zip files works generally.
Just grab any .exe file, zip it and send it through the filter.

Is that properly banned?

2. If so, it's probably some whitelist issue. Please inspect the amavisd log
output about the detected MIME type.
I've posted about a similar whitelist issue here:
https://lists.amavis.org/pipermail/amavis-users/2016-March/004125.html


Best regards,
Thomas
Alessandro Briosi
2016-04-11 14:38:15 UTC
Permalink
Hi,
Post by Thomas Jarosch
1. Test if .exe detection in .zip files works generally.
Just grab any .exe file, zip it and send it through the filter.
Is that properly banned?
Yes, the others are correctly blocked.
Post by Thomas Jarosch
2. If so, it's probably some whitelist issue. Please inspect the amavisd log
output about the detected MIME type.
https://lists.amavis.org/pipermail/amavis-users/2016-March/004125.html
This is what is detected:
Apr 11 14:36:28 mail amavis[31751]: (31751-01) p003 1 Content-Type:
multipart/mixed
Apr 11 14:36:28 mail amavis[31751]: (31751-01) p001 1/1 Content-Type:
text/plain, size: 564 B, name:
Apr 11 14:36:28 mail amavis[31751]: (31751-01) p002 1/2 Content-Type:
application/zip, size: 59784 B, name: documento_
fatturaaccompagnatoria_.pdf.zip

which seems pretty correct to me

No white listing I can guess of.
If I unzip the file and rezip it, then send an identical mail the file
is blocked.

Alessandro
Alessandro Briosi
2016-04-11 14:39:10 UTC
Permalink
Hi,
Post by Dino Edwards
Can you paste your banned file configuration?
$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
qr'.\.(pif|scr|js|rar|exe|com|cmd|vbs)$'i,
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# double extension
qr'\.[^./]*[A-Za-z][^./]*\.\s*(vbs|pif|scr|bat|cmd|com|cpl|exe)[.\s]*$'i,

);

Some time ago this happened with rar files too, so I blocked them (as we
don't use rar, and didn't have much time to investigate)

BTW, this happens with version 2.8.0 and 2.9.1 on a Centos5 and a Centos
6.7 respectively installed from third party repositories (DAG and
FedoraProject)

Alessandro
Thomas Jarosch
2016-04-11 14:58:11 UTC
Permalink
Hi Alessandro,
Post by Alessandro Briosi
multipart/mixed
application/zip, size: 59784 B, name: documento_
fatturaaccompagnatoria_.pdf.zip
which seems pretty correct to me
No white listing I can guess of.
If I unzip the file and rezip it, then send an identical mail the file
is blocked.
the problem here is that the .exe file is not unzipped correctly.
I could reproduce the problem locally.

We've received a similar sample virus six weeks ago and privately informed
the perl Archive::Zip maintainer. He's currently looking into it.

I'll keep you posted once there's an update on this.

Cheers,
Thomas
Alessandro Briosi
2016-04-11 16:08:19 UTC
Permalink
Post by Thomas Jarosch
Hi Alessandro,
Post by Alessandro Briosi
multipart/mixed
application/zip, size: 59784 B, name: documento_
fatturaaccompagnatoria_.pdf.zip
which seems pretty correct to me
No white listing I can guess of.
If I unzip the file and rezip it, then send an identical mail the file
is blocked.
the problem here is that the .exe file is not unzipped correctly.
I could reproduce the problem locally.
We've received a similar sample virus six weeks ago and privately informed
the perl Archive::Zip maintainer. He's currently looking into it.
I'll keep you posted once there's an update on this.
Ho, thank you.

The odd thing is that it still passes if I enable the following (The
#don't trust Archive::Zip part), which was commented before.

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can
be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
qr'^Zip archive data', # don't trust Archive::Zip
));

And on the server using unzip works correctly.

Alessandro
Thomas Jarosch
2016-04-12 14:34:15 UTC
Permalink
Post by Alessandro Briosi
The odd thing is that it still passes if I enable the following (The
#don't trust Archive::Zip part), which was commented before.
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can
be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
qr'^Zip archive data', # don't trust Archive::Zip
));
And on the server using unzip works correctly.
@keep_decoded_original_maps just keeps the .zip file around.
Since you don't block .zip files, it's more or less by design it passes.

Or do you mean "it passes the virus scanner"?

That's a matter of how fast the AV vendor gets
the sample and adds (generic) detection for it.

Thomas
Alessandro Briosi
2016-04-12 15:07:33 UTC
Permalink
Post by Thomas Jarosch
Post by Alessandro Briosi
The odd thing is that it still passes if I enable the following (The
#don't trust Archive::Zip part), which was commented before.
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can
be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
qr'^Zip archive data', # don't trust Archive::Zip
));
And on the server using unzip works correctly.
@keep_decoded_original_maps just keeps the .zip file around.
Since you don't block .zip files, it's more or less by design it passes.
Or do you mean "it passes the virus scanner"?
That's a matter of how fast the AV vendor gets
the sample and adds (generic) detection for it.
Thomas
Ho, ok,

I thought the "# don't trust Archive::Zip" meant to use "unzip" and not
the perl library to handle zip files.

It passes the virus scanner, but that's because this kind of virus
(probably cryptolocker, don't get caught by most antivirus software)

Alessandro

Loading...