Zip-Unpacking problems with Amavisd-new 2.6.4

Written by - 0 comments

Published on - Listed in Linux Mail


Today my Anti-Spam-Virus-Gateway running with Postfix/Amavis/ClamAV ran into a strange problem. It let through a virus in a exe file, which was packed as a zip file. When I installed this gateway, I tested this behavior of course and there were no problems at all. So there are two questions to be answered:

1) Why did the packed exe file go through (it should have been banned in the first place)?
2) Why wasn't the virus detected?

To answer the first question, I did some research in the logs which show that the zip file couldn't be uncompressed:

Jul  7 14:59:19 linux amavis[15983]: (15983-02) (!)Decoding of p003 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: Compress::Raw::Zlib defines neither package nor VERSION--version check failed at (eval 79) line 467.

Now it makes sense, that the mail with the exe was not banned since Amavisd couldn't decompress the zip file to see that there is an exe in it! But why does that happen? It has worked before.

After some more and intensive version checkings and research I figured it must be due to a newer Amavisd-new version which I installed lately. And indeed, it is. I removed the current rpm amavisd-new-2.6.4-28.1 and installed the older version amavisd-new-2.6.3-8.1.x86_64.rpm:

rpm -e amavisd-new-2.6.4-28.1
rpm -ivh amavisd-new-2.6.3-8.1.x86_64.rpm

After that I resent from an external e-mail account a mail with a zip attachment containing an exe file and see what happens in the mail log:

Jul  7 16:51:58 linux amavis[32264]: (32264-01) p.path BANNED:1 recipient@example.com: "P=p004,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/x-zip,T=zip,N=windirstat1_1_2_setup.zip | P=p006,L=1/2/1,T=exe,T=exe-ms,N=windirstat1_1_2_setup.exe", matching_key="(?i-xsm:.\\.(exe|msi|dll|vbs|pif|scr|bat|cmd|com|cpl)$)"

That's how it should be! So the problem comes definitely from Amavisd-new 2.6.4. Or at least from the rpm package for SLES10.

To answer the second question. This is a virus which was detected in the wild only today. This can unfortunately happen. For this case I'll install another virus scanner next to ClamAV with another signature base following the principle two eyes see better than one.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder