Can you paste your banned file configuration?



From: amavis-users [mailto:amavis-users-bounces+dino.edwards=***@amavis.org] On Behalf Of Alessandro Briosi
Sent: Monday, April 11, 2016 9:18 AM
To: amavis-***@amavis.org
Subject: This zip file passes the .exe banning why?

Hi all,
The file you can find here [1] bypasses amavis extensions checks.

In my configuration .exe are banned (even inside .zip files)

Though for some reasons this .zip passes.

I also have checks for double extensions which on normal files work (still even within .zip files)
I also tryed renaming the file (leaving the .zip)

This one bypasses the checks and I'm probably too dumb to find out why.
Any help would be appreciated.

*N.B. Obviously it's a virus so do not execute the file!!!!!!*

Thanks,
Alessandro

[1] http://www.metalit.net/ou/?a=d&i=ExtH8JVh

Hi Alessandro,
two things you could try:

1. Test if .exe detection in .zip files works generally.
Just grab any .exe file, zip it and send it through the filter.

Is that properly banned?

2. If so, it's probably some whitelist issue. Please inspect the amavisd log
output about the detected MIME type.
I've posted about a similar whitelist issue here:
https://lists.amavis.org/pipermail/amavis-users/2016-March/004125.html


Best regards,
Thomas

Hi,
Yes, the others are correctly blocked.
This is what is detected:
Apr 11 14:36:28 mail amavis[31751]: (31751-01) p003 1 Content-Type:
multipart/mixed
Apr 11 14:36:28 mail amavis[31751]: (31751-01) p001 1/1 Content-Type:
text/plain, size: 564 B, name:
Apr 11 14:36:28 mail amavis[31751]: (31751-01) p002 1/2 Content-Type:
application/zip, size: 59784 B, name: documento_
fatturaaccompagnatoria_.pdf.zip

which seems pretty correct to me

No white listing I can guess of.
If I unzip the file and rezip it, then send an identical mail the file
is blocked.

Alessandro

Hi,
$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
qr'.\.(pif|scr|js|rar|exe|com|cmd|vbs)$'i,
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# double extension
qr'\.[^./]*[A-Za-z][^./]*\.\s*(vbs|pif|scr|bat|cmd|com|cpl|exe)[.\s]*$'i,

);

Some time ago this happened with rar files too, so I blocked them (as we
don't use rar, and didn't have much time to investigate)

BTW, this happens with version 2.8.0 and 2.9.1 on a Centos5 and a Centos
6.7 respectively installed from third party repositories (DAG and
FedoraProject)

Alessandro

Hi Alessandro,
the problem here is that the .exe file is not unzipped correctly.
I could reproduce the problem locally.

We've received a similar sample virus six weeks ago and privately informed
the perl Archive::Zip maintainer. He's currently looking into it.

I'll keep you posted once there's an update on this.

Cheers,
Thomas

Ho, thank you.

The odd thing is that it still passes if I enable the following (The
#don't trust Archive::Zip part), which was commented before.

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can
be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
qr'^Zip archive data', # don't trust Archive::Zip
));

And on the server using unzip works correctly.

Alessandro

@keep_decoded_original_maps just keeps the .zip file around.
Since you don't block .zip files, it's more or less by design it passes.

Or do you mean "it passes the virus scanner"?

That's a matter of how fast the AV vendor gets
the sample and adds (generic) detection for it.

Thomas

Ho, ok,

I thought the "# don't trust Archive::Zip" meant to use "unzip" and not
the perl library to handle zip files.

It passes the virus scanner, but that's because this kind of virus
(probably cryptolocker, don't get caught by most antivirus software)

Alessandro