debian, amavis, virus inside archive
One my client asked informed me, that amavis skips some files types. mail server configuration is really simple: Postfix as SMTP server and amavis working as context filter. Also amavis runs spamassasin and clamd antivirus. Amavis gets files from attachment and unpack it. lha file is not detected.
short investigation
First I deceided to run amavis in debug mode and verify how virus passed postix+amavis.
root@newserver:/var/lib/amavis# /etc/init.d/amavis stop [ ok ] Stopping amavis (via systemctl): amavis.service. root@newserver:/var/lib/amavis# /etc/init.d/amavis debug Trying to run amavisd-new in debug mode.
Debug mode inform about loaded plugins:
'
Nov 13 22:07:23.335 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .cpio at /bin/pax Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .tar at /bin/pax Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .deb at /usr/bin/ar Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .rar, tried: unrar-free Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .arj at /usr/bin/arj Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .arc, tried: nomarch, arc Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .zoo, tried: zoo Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .doc at /usr/bin/ripole Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .cab at /usr/bin/cabextract Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Internal decoder for .tnef Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .zip, tried: 7za, 7z Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .kmz, tried: 7za, 7z Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Internal decoder for .zip Nov 13 22:07:23.336 newserver. /usr/sbin/amavisd-new[40334]: Internal decoder for .kmz Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .7z at /usr/bin/7zr Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .jar, tried: 7z Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .rar, tried: 7z Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .swf, tried: 7z Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .lha, tried: 7z Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .iso, tried: 7z Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No ext program for .rpm, tried: 7z Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: Found decoder for .exe at /usr/bin/arj Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .F Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .arc Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .iso Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .jar Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .lha Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .lrz Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .lz4 Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .lzo Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .rar Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .rpm Nov 13 22:07:23.337 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .swf Nov 13 22:07:23.338 newserver. /usr/sbin/amavisd-new[40334]: No decoder for .zoo
No decoder for lha ! But lha is installed in the system. Looks like problem with paths or chroot is misconfigured. amavis search arj but cannot find lha in the same directory, also chroot is not set up (I have not seen amavis chroot howto for linux, it is a good subject for next post). Checking code was my last step. Amavis has next code:
['tnef', \&Amavis::Unpackers::do_tnef], # ['lha', \&Amavis::Unpackers::do_lha, \$lha], # not safe, use 7z instead # ['sit', \&Amavis::Unpackers::do_unstuff, \$unstuff], # not safe [['zip','kmz'], \&Amavis::Unpackers::do_7zip, ['7za', '7z'] ],
Amavis uses not lha it uses 7z . and solution is simple :
root@newserver:/home/serg# aptitude search 7z p i7z - reporting tool for i7, i5, i3 CPUs p i7z:i386 - reporting tool for i7, i5, i3 CPUs p i7z-gui - GUI for i7z, a reporting tool for i7, i5, i3 CPUs p i7z-gui:i386 - GUI for i7z, a reporting tool for i7, i5, i3 CPUs i p7zip - 7zr file archiver with high compression ratio p p7zip:i386 - 7zr file archiver with high compression ratio p p7zip-full - 7z and 7za file archivers with high compression ratio p p7zip-full:i386 - 7z and 7za file archivers with high compression ratio p p7zip-rar - non-free rar module for p7zip p p7zip-rar:i386 - non-free rar module for p7zip root@newserver:/home/serg# aptitude install p7zip-full Наступні НОВІ пакунки будуть встановлені: p7zip-full 0 пакунків оновлено, 1 нових встановлено, 0 видалено і 745 не оновлено. Потрібно отримати 1 115 kb архівів. Після розпакування 4 513 kb буде зайнято. Отр: 1 http://deb.debian.org/debian stretch/main amd64 p7zip-full amd64 16.02+dfsg-3+deb9u1 [1 115 kB] Стягнено 1 115 kb за 0с (1 953 kb/s) Selecting previously unselected package p7zip-full. (Reading database ... 74600 files and directories currently installed.) Preparing to unpack .../p7zip-full_16.02+dfsg-3+deb9u1_amd64.deb ... Unpacking p7zip-full (16.02+dfsg-3+deb9u1) ... Processing triggers for man-db (2.7.4-1) ... Setting up p7zip-full (16.02+dfsg-3+deb9u1) ...
after this amavis unpacks lha archives and clamd can catch viruses!
Comments
Post a Comment