On 5/4/2022 11:06 μ.μ., Bastian Blank wrote:
This is no 7z file, the same as was already reported here.
Exactly. However the problem was solved, as you may see in the last mails of the thread, by installing unrar on the OS.
The malicious sender, as was mentioned earlier, tries to confuse scanners by deliberately using a wrong extension, to push the attachment without scanning.
Amavis identifies correctly the type of the compressed archive and uses the right decoder (if available).
The real problem, in the end, is that the virus is not detected in the infected file by ClamAV (after archive decoding). Is it effective and efficient to use two mail scanners back-to-back?
I would just ban rar files outright.
I would hesitate to drop RAR, as it is a compression format we respect and use and the fact that some malicious parties use it is no sufficient reason for dropping it, I think.
My 2c. Best regards, Nick
