Hi everyone, thanks a lot for the quick reply. For now I'm just blocking rar archives from external. My @decoders section currently looks as follows:
@decoders = ( ['mail', \&do_mime_decode], # [[qw(asc uue hqx ync)], \&do_ascii], # not safe ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', \&do_uncompress, 'lzop -d'], ['lz4', \&do_uncompress, ['lz4c -d'] ], ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] ['deb', \&do_ar, 'ar'], # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill ['rar', \&do_unrar, ['unrar', 'rar'] ], ['arj', \&do_unarj, ['unarj', 'arj'] ], ['arc', \&do_arc, ['nomarch', 'arc'] ], ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], # ['doc', \&do_ole, 'ripole'], # no ripole package so far ['cab', \&do_cabextract, 'cabextract'], # ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead ['tnef', \&do_tnef], # ['lha', \&do_lha, 'lha'], # not safe, use 7z instead # ['sit', \&do_unstuff, 'unstuff'], # not safe [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], [['zip','kmz'], \&do_unzip], ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], [[qw(gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ], ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7 version of unrar which causes problems? I currently have the following installed: unrar-4.2.4-1.el7.x86_64 I will anyway try to remove the 'rar' from the list as proposed by p@rick: ['rar', \&do_unrar, ['unrar'] ], and just leave 'unrar' to check if it helps... @p@trick: I currently also do not have: \&Amavis::Unpackers::do_unrar anywhere in my list. Is that for using some amavis perl 'unrar' library? My current amavis version is: amavisd-new-2.11.1-1.el7.noarch Thanks a lot for your help! Cheers Jan ----- Original Message ----- | From: "Patrick Ben Koetter" <p...@sys4.de> | To: amavis-users@amavis.org | Sent: Monday, March 23, 2020 8:42:53 PM | Subject: Re: malware went through because RAR file fails to unpack | * Benny Pedersen <m...@junc.eu>: |> On 2020-03-23 18:01, Engels, Jan wrote: |> |> > i.e. malware went through amavis because the RAR archive containing |> > the malware could not be unpacked: |> |> is clamav detect this virus ? | | Recent clamav version detect RARv5 archives and unpack them properly. | | |> |> is amavisd unpacking it, or just not detect it ? |> |> sorry not using amavisd here, but fuglu could have same problem | | -- | [*] sys4 AG | | https://sys4.de, +49 (89) 30 90 46 64 | Schleißheimer Straße 26/MG,80333 München | | Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 | Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief | Aufsichtsratsvorsitzender: Florian Kirstein