Today my Anti-Spam-Virus-Gateway running with Postfix/Amavis/ClamAV ran into a strange problem. It let through a virus in a exe file, which was packed as a zip file. When I installed this gateway, I tested this behavior of course and there were no problems at all. So there are two questions to be answered:
1) Why did the packed exe file go through (it should have been banned in the first place)?
2) Why wasn't the virus detected?
To answer the first question, I did some research in the logs which show that the zip file couldn't be uncompressed:
Jul 7 14:59:19 linux amavis[15983]: (15983-02) (!)Decoding of p003 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: Compress::Raw::Zlib defines neither package nor VERSION--version check failed at (eval 79) line 467.
Now it makes sense, that the mail with the exe was not banned since Amavisd couldn't decompress the zip file to see that there is an exe in it! But why does that happen? It has worked before.
After some more and intensive version checkings and research I figured it must be due to a newer Amavisd-new version which I installed lately. And indeed, it is. I removed the current rpm amavisd-new-2.6.4-28.1 and installed the older version amavisd-new-2.6.3-8.1.x86_64.rpm:
rpm -e amavisd-new-2.6.4-28.1
rpm -ivh amavisd-new-2.6.3-8.1.x86_64.rpm
After that I resent from an external e-mail account a mail with a zip attachment containing an exe file and see what happens in the mail log:
Jul 7 16:51:58 linux amavis[32264]: (32264-01) p.path BANNED:1 recipient@example.com: "P=p004,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/x-zip,T=zip,N=windirstat1_1_2_setup.zip | P=p006,L=1/2/1,T=exe,T=exe-ms,N=windirstat1_1_2_setup.exe", matching_key="(?i-xsm:.\\.(exe|msi|dll|vbs|pif|scr|bat|cmd|com|cpl)$)"
That's how it should be! So the problem comes definitely from Amavisd-new 2.6.4. Or at least from the rpm package for SLES10.
To answer the second question. This is a virus which was detected in the wild only today. This can unfortunately happen. For this case I'll install another virus scanner next to ClamAV with another signature base following the principle two eyes see better than one.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder