Re: [AMaViS-user] Testvirus

[Mark M. <Mar...@ij...>]

Bojan,

| I tested it with my amavisd-new and it seems like it's letting through tests
| #19, #24 and #25.


| #19 - Eicar virus within zip file hidden using the "Blank
| Folding Vulnerability". While #19 looks broken to me (no attachment
| visible in Outlook), although I could extract that manually
I think it's very low risk.

Broken it is, although my Convert::UUlib 1.0 as well as 1.01
still for some magical reason manages to detect and decode the zip,
which was hidind from MIME::Parser. ($log_level=4):

  Extracting mime components
  mime_decode: Content-type: text/plain, name: 
  Checking for banned MIME types and names
  decode_parts: level=1, #parts=1 : part-00001
  File-type of part-00001: ASCII English text; (.asc)
  Checking for banned (contents-based) file types, 1 parts
  do_ascii: Decoding part part-00001 (1 items)
  do_ascii(0): state=0x10, enc=base64, est.size=757, name=UNKNOWN.001
  decompose_part: part-00001 - source retained

and the rest continues normally, with EICAR found in the end in part-00003:

  decode_parts: level=2, #parts=1 : part-00002
  File-type of part-00002: Zip archive data, at least v1.0 to extract; (.zip)
  Checking for banned (contents-based) file types, 1 parts
  Unzipping part-00002
  decompose_part: part-00002 - archive, unpacked
  decode_parts: level=3, #parts=1 : part-00003
  File-type of part-00003: ASCII text, with no line terminators; (.asc)
  Checking for banned (contents-based) file types, 1 parts
  do_ascii: Decoding part part-00003 (0 items)
  decompose_part: part-00003 - atomic

I wouldn't worry too much if it Convert::UUlib wouldn't decode it though.


| However, I'd like to potentially block #24 and specially #25.
| Mark, is there any way for amavisd to block that with the current version?
| #24 - Test for the "Partial (Fragmented) Vulnerability". This does not
| include Eicar virus, but your mail server still must block this since it can
| break a virus into multiple emails and reassemble it in your inbox.

The #24 contains 'Content-type: message/partial' MIME type.
You can block it as suggested in the example:

$banned_filename_re = new_RE(
  ...
  qr'^message/partial$'i,   # block rfc2046


| #25 - Attachment with a CLSID extension which may hide the real file
| extension. This does not include Eicar virus, but your mail server still
| must block this since it can hide the true extension of a file.

amavisd-new does not rely much on file names and types as given
in the mail headers or subheaders. If such mail would contain
a virus or a banned file(1) type, it would be blocked,
regardless of what hidden extension holds.

You may add specific regexp patterns to $banned_filename_re
to match funny names with curlies and similar, as in the case of #25
which has: name="clsidfile.txt.{00020C01-0000-0000-C000-000000000046}"

  Mark