On 5/4/2022 11:17 π.μ., Damian wrote:
How do you know that they are infected? Is your setup not detecting
those viruses because neither Amavis nor ClamAV look inside the 7z
archive, or because ClamAV has no signatures for them?
Thank you Damian for the reply,
For testing purposes, I downloaded and scanned the content locally,
using Avira (which I have on my PC), which detected:
TR/Injector.5079db
(But even if it had not been detected, we would be sure the attachment
would contain a virus. No malicious sender would ever send a crafted
mail with a clean exe attachment!)
But you are right in that amavis did NOT actually manage to open the
7zip archive. I only now noticed in the log:
Apr 5 09:29:09 mailgw1 amavis[3127956]: (3127956-10) (!)Decoding of
p002 (RAR archive data, v5) failed, leaving it unpacked: do_7zip:
can't get a list of archive members: exit 2; Errors: 1
I found that in all cases with 7z extension we get the above error.
Question 1: Is there something wrong in the configuration that does
not allow 7z scanning or probably an additional software library is
needed?
Question 1A: If a decoder fails, could amavis be explicitly configured
to try more decoders?
My amavis "decoders" config section is:
@decoders = (
['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii], # not safe
['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['xz', \&do_uncompress,
['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
['lzma', \&do_uncompress,
['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
# ['lrz', \&do_uncompress,
# ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, 'lzop -d'],
['lz4', \&do_uncompress, ['lz4c -d'] ],
['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
# ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
['deb', \&do_ar, 'ar'],
# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
['rar', \&do_unrar, ['unrar', 'rar'] ],
['arj', \&do_unarj, ['unarj', 'arj'] ],
['arc', \&do_arc, ['nomarch', 'arc'] ],
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
# ['doc', \&do_ole, 'ripole'], # no ripole package so far
['cab', \&do_cabextract, 'cabextract'],
# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead
['tnef', \&do_tnef],
# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead
# ['sit', \&do_unstuff, 'unstuff'], # not safe
[['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
[['zip','kmz'], \&do_unzip],
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
[[qw(gz bz2 Z tar)],
\&do_7zip, ['7za', '7z'] ],
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip, '7z' ],
['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);
Question 2: Could the config be corrected to process 7z attachments
correctly?
As a final note: I was misled by the fact that in the mail headers the
mail was reported as scanned and not as undecipherable.
X-Virus-Scanned: amavisd-new at noa.gr
Question 3: How can we configure amavis to report such mails (which
failed to open for scanning) as undecipherable?
Thanks a lot,
Nick
