Hi Patrick, unfortunately it didn't work. The unrar on my CentOS7 system does not seem to be able to handle the newer RAR versions, i.e. extract the file containing the malware:
$ unrar x SWIFT\ MT103\ Copy.rar UNRAR 4.20 freeware Copyright (c) 1993-2012 Alexander Roshal Unsupported archive format. Please update RAR to a newer version. SWIFT MT103 Copy.rar is not RAR archive No files to extract I could however find another Package which seems to be better for unpacking rar files and is available on CentOS7: unar-1.10.1-1.el7.x86_64 Using this tool I could extract the RAR without problems: $ unar SWIFT\ MT103\ Copy.rar SWIFT MT103 Copy.rar: RAR 5 SWIFT MT103 Copy.exe (81920 B)... OK. Successfully extracted to "./SWIFT MT103 Copy.exe". Is it possible to include unar in the amavis.conf? I could not get it to work by adjusting the corresponding section: | @decoders = ( | ['mail', \&do_mime_decode], ... | ['rar', \&do_unrar, ['unar'] ], This led to the following error: amavis[9351]: (09351-01) (!)Decoding of p002 (RAR archive data, v2d, flags: Commented, Solid, os: OS/2) failed, leaving it unpacked: do_unrar: can't get a list of archive members: exit 1; Unknown option -idcdp. Does anyone know if or how this can be done? I could find the -idcdp options in the amavisd script: my(@common_rar_switches) = qw(-c- -p- -idcdp); # -av- can this variable somehow be switched off/overwritten in the amavis.conf file? Cheers Jan ----- Original Message ----- | From: "Jan Engels" <jan.eng...@desy.de> | To: "Patrick Ben Koetter" <p...@sys4.de> | Cc: amavis-users@amavis.org | Sent: Monday, March 23, 2020 9:24:35 PM | Subject: Re: malware went through because RAR file fails to unpack | Hi everyone, | | thanks a lot for the quick reply. For now I'm just blocking rar archives from | external. My @decoders section currently looks as follows: | | @decoders = ( | ['mail', \&do_mime_decode], | # [[qw(asc uue hqx ync)], \&do_ascii], # not safe | ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], | ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], | ['gz', \&do_uncompress, 'gzip -d'], | ['gz', \&do_gunzip], | ['bz2', \&do_uncompress, 'bzip2 -d'], | ['xz', \&do_uncompress, | ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], | ['lzma', \&do_uncompress, | ['lzmadec', 'xz -dc --format=lzma', | 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], | ['lrz', \&do_uncompress, | ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], | ['lzo', \&do_uncompress, 'lzop -d'], | ['lz4', \&do_uncompress, ['lz4c -d'] ], | ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], | [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], | # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] | ['deb', \&do_ar, 'ar'], | # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill | ['rar', \&do_unrar, ['unrar', 'rar'] ], | ['arj', \&do_unarj, ['unarj', 'arj'] ], | ['arc', \&do_arc, ['nomarch', 'arc'] ], | ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], | # ['doc', \&do_ole, 'ripole'], # no ripole package so far | ['cab', \&do_cabextract, 'cabextract'], | # ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead | ['tnef', \&do_tnef], | # ['lha', \&do_lha, 'lha'], # not safe, use 7z instead | # ['sit', \&do_unstuff, 'unstuff'], # not safe | [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], | [['zip','kmz'], \&do_unzip], | ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], | [[qw(gz bz2 Z tar)], | \&do_7zip, ['7za', '7z'] ], | [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], | \&do_7zip, '7z' ], | ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], | ); | | For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7 | version of unrar which causes problems? I currently have the following | installed: | | unrar-4.2.4-1.el7.x86_64 | | I will anyway try to remove the 'rar' from the list as proposed by p@rick: | ['rar', \&do_unrar, ['unrar'] ], | | and just leave 'unrar' to check if it helps... | | @p@trick: I currently also do not have: | | \&Amavis::Unpackers::do_unrar | | anywhere in my list. Is that for using some amavis perl 'unrar' library? | | My current amavis version is: | | amavisd-new-2.11.1-1.el7.noarch | | Thanks a lot for your help! | | Cheers | Jan | | | ----- Original Message ----- || From: "Patrick Ben Koetter" <p...@sys4.de> || To: amavis-users@amavis.org || Sent: Monday, March 23, 2020 8:42:53 PM || Subject: Re: malware went through because RAR file fails to unpack | || * Benny Pedersen <m...@junc.eu>: ||> On 2020-03-23 18:01, Engels, Jan wrote: ||> ||> > i.e. malware went through amavis because the RAR archive containing ||> > the malware could not be unpacked: ||> ||> is clamav detect this virus ? || || Recent clamav version detect RARv5 archives and unpack them properly. || || ||> ||> is amavisd unpacking it, or just not detect it ? ||> ||> sorry not using amavisd here, but fuglu could have same problem || || -- || [*] sys4 AG || || https://sys4.de, +49 (89) 30 90 46 64 || Schleißheimer Straße 26/MG,80333 München || || Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 || Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief | | Aufsichtsratsvorsitzender: Florian Kirstein
