Today my Anti-Spam-Virus-Gateway running with Postfix/Amavis/ClamAV ran into a strange problem. It let through a virus in a exe file, which was packed as a zip file. When I installed this gateway, I tested this behavior of course and there were no problems at all. So there are two questions to be answered:
1) Why did the packed exe file go through (it should have been banned in the first place)?
2) Why wasn't the virus detected?
To answer the first question, I did some research in the logs which show that the zip file couldn't be uncompressed:
Jul 7 14:59:19 linux amavis: (15983-02) (!)Decoding of p003 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: Compress::Raw::Zlib defines neither package nor VERSION--version check failed at (eval 79) line 467.
Now it makes sense, that the mail with the exe was not banned since Amavisd couldn't decompress the zip file to see that there is an exe in it! But why does that happen? It has worked before.
After some more and intensive version checkings and research I figured it must be due to a newer Amavisd-new version which I installed lately. And indeed, it is. I removed the current rpm amavisd-new-2.6.4-28.1 and installed the older version amavisd-new-2.6.3-8.1.x86_64.rpm:
rpm -e amavisd-new-2.6.4-28.1
rpm -ivh amavisd-new-2.6.3-8.1.x86_64.rpm
After that I resent from an external e-mail account a mail with a zip attachment containing an exe file and see what happens in the mail log:
Jul 7 16:51:58 linux amavis: (32264-01) p.path BANNED:1 firstname.lastname@example.org: "P=p004,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/x-zip,T=zip,N=windirstat1_1_2_setup.zip | P=p006,L=1/2/1,T=exe,T=exe-ms,N=windirstat1_1_2_setup.exe", matching_key="(?i-xsm:.\\.(exe|msi|dll|vbs|pif|scr|bat|cmd|com|cpl)$)"
That's how it should be! So the problem comes definitely from Amavisd-new 2.6.4. Or at least from the rpm package for SLES10.
To answer the second question. This is a virus which was detected in the wild only today. This can unfortunately happen. For this case I'll install another virus scanner next to ClamAV with another signature base following the principle two eyes see better than one.