On Thursday, April 23, 2015 02:24:19 PM Brendan Zerr wrote: > Hello, > > This morning our mailserver (Postfix+Amavis) had a virus pass through to > our users. The file was an .exe file within a .zip file. The server is > configured to block .exe files with $banned_filename_re, but this one > slipped by. After setting $log_level to 5, it seems that the ZIP file > was never decoded by amavis, but allowed to pass unscanned. ClamAV > missed the virus as well, but it should have never made it to that point > anyway. The strangest thing is, if I extract the .exe file and place it > into a "new" zip file, that zip file is correctly identified as > containing an .exe, and blocked by the server. > > I've gone so far as to override the default zip decoding, using 7zip: > > @decoders = ( > ['zip', \&do_7zip, ['7z', '7za'] ] > ); > > and the same behaviour is exhibited. > > Versions: > Ubuntu 10.04 > amavisd-new-2.6.4 > > I realize this version is quite out of date, and that may be the > ultimate cause of the issue (working on testing this theory), but in > case it isn't I wanted to let someone know. > > I've made available the original and "new" zip files on Dropbox: > == THE CONTAINED EXE FILE IS ACTIVELY HARMFUL TO A WINDOWS HOST => Original: > https://www.dropbox.com/s/modnz533k4swum7/Original.zip > New: https://www.dropbox.com/s/5ynitllq0ghvfqn/NewZip.zip
The exe file is detected here. I downloaded your Original.zip from the dropbox and attached it to an e-mail I sent to myself. See the attachment what happened. Of course, it didn't find the virus since the exe file was blocked before it go to the virus scanner -- Best regards Thomas Spuhler All of my e-mails have a valid digital signature ID 60114E63
Original.pdf
Description: Adobe PDF document
signature.asc
Description: This is a digitally signed message part.
