detect and block ACE archive

Discussion:

Marcin Rożek

2018-04-20 08:14:14 UTC

Hello,
Recently, bad people try to send ransomware in ACE archive with .rar extension. Inside is .jse file.

Unfortunately, amavisd-new is passing this undetected (does not recognize ACE archive and canât unpack it).

Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Extracting mime components from a string
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p001
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p002
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new pseudo part: p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p003 1 Content-Type: multipart/mixed
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 1551 bytes to remaining quota 25461000 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p001 1/1 Content-Type: text/plain, base64, size: 1551, SHA1 digest: 0ee8569abe1472ea4ddc0f5d2fd62cc13cbbe995
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p001 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 34500 bytes to remaining quota 25459449 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p002 1/2 Content-Type: application/octet-stream, base64, size: 34500, SHA1 digest: 3168e9d25b548b4b73fa62b188921648c73593c7, name: Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p002 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode-1 - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode-1: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: parts: multipart/mixed, text/plain, application/octet-stream
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: not a bounce
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline dsn_parse - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer dsn_parse: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decode_parts: level=1, #parts=3 : p001, p002, p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) running file(1) on 2 files, arglist size 23
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) run_command: [2353] /usr/bin/file p001 p002 </dev/null 2>&1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd0 closing, to become < /dev/null
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 closing, to become (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 dup2 from fd19 (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: source fd19 closed
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 closing, to become (65) &1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 dup2 from fd1 (65) &1
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p001: UTF-8 Unicode text, with CRLF line terminators\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("UTF-8 Unicode text, with CRLF line terminators") matches key "(?^i:^UTF.* Unicode text\\b)", result="txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [map_full_type_to_short_type] => true, "UTF-8 Unicode text, with CRLF line terminators" matches, result="txt", matching_key="(?^i:^UTF.* Unicode text\\b)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p001: UTF-8 Unicode text, with CRLF line terminators; (txt)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p002: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid") matches key "(?^:^)", result="dat"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [map_full_type_to_short_type] => true, "ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid" matches, result="dat", matching_key="(?^:^)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p002: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid; (dat)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p001 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p002 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline parts_decode - deadline in 479.9 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer parts_decode: timer 288, was 288, deadline in 479.9 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => undef, "***@xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_header: 0, OK
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => undef, "***@xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Checking for banned types and filenames
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup: (scalar) matches, result="DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_filename], 1 matches for "***@xxx", results: "(constant:DEFAULT)"=>"DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) collect banned table[0]: ***@xxx, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x2764760)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) starting banned checks - traversing message structure tree
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p001) multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for ***@xxx on multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re(["multipart/mixed","text/plain",".txt"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:***@xxx] => undef, ["multipart/mixed","text/plain",".txt"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=txt" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path ***@xxx: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p002) multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for ***@xxx on multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re(["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:***@xxx] => undef, ["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=Kwit_Skan.rar" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path ***@xxx: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=dat,N=Kwit_Skan.rar"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) banned check: any=0, all=N (1)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("MAIL") matches key "(?^:^MAIL$)", result="1"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [keep_decoded_original] => true, "MAIL" matches, result="1", matching_key="(?^:^MAIL$)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts/p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Calling virus scanners, 3 files to scan in /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) invoking av-scanner ClamAV-clamd
(âŠ)

file Kwit_Skan.rar
Kwit_Skan.rar: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid

I try to block it:

$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
qr'^\.jse$',
qr'^\.pif$',
qr'^\.ace$',
qr'^ACE archive data version.*$',

But amavisd-new still passes this ransomware archivesâ¹

Can you help me with banning ACE archive by filetype or add support for ACE archives to amavisd (eg. by using unace)?
Iâm using amavisd-new-2.11.0-3.el7.noarch on CentOS Linux release 7.4.1708

--
Best regards,
Marcin

Hoyer-Reuther, Christian

2018-04-20 09:22:11 UTC

Permalink

Hello Marcin,

here is how you can block ACE archives:

First you need to add the following line to $map_full_type_to_short_type_re in /usr/sbin/amavisd-new:

$map_full_type_to_short_type_re = [
âŠ
[qr/^ACE archive\b/i => 'ace-unwanted'], <=== add this line
âŠ
];

This line maps the output of the file utility (âŠresult line from file(1): p002: ACE archive data version 20âŠ) to "ace-unwanted".

Then you add "ace-unwanted" to $banned_filename_re in your config:

$banned_filename_re = new_RE(
âŠ
qr'^\.(ace-unwanted)$'i, <=== add this line
âŠ
);

Regards,

Christian

Von: amavis-users [mailto:amavis-users-bounces+christian.hoyer-reuther=cac-***@amavis.org] Im Auftrag von Marcin Rozek
Gesendet: Freitag, 20. April 2018 10:14
An: amavis-***@amavis.org
Betreff: detect and block ACE archive

Hello,
Recently, bad people try to send ransomware in ACE archive with .rar extension. Inside is .jse file.

Unfortunately, amavisd-new is passing this undetected (does not recognize ACE archive and canât unpack it).

Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Extracting mime components from a string
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p001
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p002
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new pseudo part: p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p003 1 Content-Type: multipart/mixed
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 1551 bytes to remaining quota 25461000 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p001 1/1 Content-Type: text/plain, base64, size: 1551, SHA1 digest: 0ee8569abe1472ea4ddc0f5d2fd62cc13cbbe995
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p001 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Charging 34500 bytes to remaining quota 25459449 (out of 25461000, (0%)) - by mime_decode
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p002 1/2 Content-Type: application/octet-stream, base64, size: 34500, SHA1 digest: 3168e9d25b548b4b73fa62b188921648c73593c7, name: Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) reparenting p002 from p000 to p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline mime_decode-1 - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer mime_decode-1: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: parts: multipart/mixed, text/plain, application/octet-stream
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) inspect_dsn: not a bounce
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline dsn_parse - deadline in 480.0 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer dsn_parse: timer 288, was 288, deadline in 480.0 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decode_parts: level=1, #parts=3 : p001, p002, p003
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) running file(1) on 2 files, arglist size 23
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) run_command: [2353] /usr/bin/file p001 p002 </dev/null 2>&1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd0 closing, to become < /dev/null
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 closing, to become (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd1 dup2 from fd19 (65) &=19
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: source fd19 closed
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 closing, to become (65) &1
Apr 20 09:49:55 mx01 amavis[2353]: (02239-01) open_on_specific_fd: target fd2 dup2 from fd1 (65) &1
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p001: UTF-8 Unicode text, with CRLF line terminators\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("UTF-8 Unicode text, with CRLF line terminators") matches key "(?^i:^UTF.* Unicode text\\b)", result="txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [map_full_type_to_short_type] => true, "UTF-8 Unicode text, with CRLF line terminators" matches, result="txt", matching_key="(?^i:^UTF.* Unicode text\\b)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p001: UTF-8 Unicode text, with CRLF line terminators; (txt)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) result line from file(1): p002: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid\n
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid") matches key "(?^:^)", result="dat"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [map_full_type_to_short_type] => true, "ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid" matches, result="dat", matching_key="(?^:^)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) File-type of p002: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid; (dat)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p001 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) decompose_part: p002 - atomic
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) get_deadline parts_decode - deadline in 479.9 s, set to 288.000 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) prolong_timer parts_decode: timer 288, was 288, deadline in 479.9 s
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => undef, "***@xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_header: 0, OK
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [bypass_header_checks] => undef, "***@xxx" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Checking for banned types and filenames
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup: (scalar) matches, result="DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_filename], 1 matches for "***@xxx", results: "(constant:DEFAULT)"=>"DEFAULT"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) collect banned table[0]: ***@xxx, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x2764760)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) starting banned checks - traversing message structure tree
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p001) multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for ***@xxx on multipart/mixed | text/plain,.txt
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re(["multipart/mixed","text/plain",".txt"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:***@xxx] => undef, ["multipart/mixed","text/plain",".txt"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=txt" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path ***@xxx: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=txt"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) check_for_banned (p003,p002) multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) doing banned check for ***@xxx on multipart/mixed | application/octet-stream,.dat,Kwit_Skan.rar
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re(["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"]), no matches
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [check_bann:***@xxx] => undef, ["multipart/mixed","application/octet-stream",".dat","Kwit_Skan.rar"] does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=Kwit_Skan.rar" does not match
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) p.path ***@xxx: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=dat,N=Kwit_Skan.rar"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) banned check: any=0, all=N (1)
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup_re("MAIL") matches key "(?^:^MAIL$)", result="1"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) lookup [keep_decoded_original] => true, "MAIL" matches, result="1", matching_key="(?^:^MAIL$)"
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Issued a new file name: p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts/p004
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) Calling virus scanners, 3 files to scan in /var/spool/amavisd/tmp/amavis-20180420T094955-02239-79PbWM9A/parts
Apr 20 09:49:55 mx01 amavis[2239]: (02239-01) invoking av-scanner ClamAV-clamd
(âŠ)

file Kwit_Skan.rar
Kwit_Skan.rar: ACE archive data version 20, from Win/32, version 20 to extract, with recovery record, solid

I try to block it:

$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
qr'^\.jse$',
qr'^\.pif$',
qr'^\.ace$',
qr'^ACE archive data version.*$',

But amavisd-new still passes this ransomware archivesâ¹

Can you help me with banning ACE archive by filetype or add support for ACE archives to amavisd (eg. by using unace)?
Iâm using amavisd-new-2.11.0-3.el7.noarch on CentOS Linux release 7.4.1708

--
Best regards,
Marcin

Marcin Rożek

2018-04-20 11:58:27 UTC

Permalink

Post by Hoyer-Reuther, Christian
$map_full_type_to_short_type_re = [
âŠ
[qr/^ACE archive\b/i => 'ace-unwanted'], <=== add this line
âŠ
];
This line maps the output of the file utility (âŠresult line from file(1): p002: ACE archive data version 20âŠ) to "ace-unwanted".
$banned_filename_re = new_RE(
âŠ
qr'^\.(ace-unwanted)$'i, <=== add this line
âŠ
);

Thank you Christian - that worked!

Is it possible to add map_full_type_to_short_type_re to /etc/amavisd/amavisd.conf as any update of package is going to wipe ACE detection from /usr/sbin/amavisd ?

Is there any chance to add a possibility to unpack ACE archives to amavisd? I hope that banning them completely is only temporary solution ð

--
Best regards,
Marcin

Hoyer-Reuther, Christian

2018-04-20 12:41:44 UTC

Permalink

Post by Marcin RoÅ¼ek
Is it possible to add map_full_type_to_short_type_re to
/etc/amavisd/amavisd.conf as any update of package is going to wipe ACE
detection from /usr/sbin/amavisd ?

I don't know, but you can try if it works when you copy the $map_full_type_to_short_type_re section to amavisd.conf.

Post by Marcin RoÅ¼ek
Is there any chance to add a possibility to unpack ACE archives to amavisd?
I hope that banning them completely is only temporary solution

With the ACE banning in my environment there is never a real mail blocked, but only virus mails. Maybe the spammers and virus creators love ACE archives because they know that amavis can

Benny Pedersen

2018-04-20 14:31:20 UTC

Permalink

Post by Hoyer-Reuther, Christian
With the ACE banning in my environment there is never a real mail
blocked, but only virus mails. Maybe the spammers and virus creators
love ACE archives because they know that amavis cannot handle it.

design of amavisd is not to make the best virus scanner with it, it was
designed to be a content controller, thus we all need external scanners
to scan virus and malware anyway

imho amavisd is to over complicated to my life, so i keep clamav with
clamav-multer with is now stable for me in the last year

adding all foxhole signatures makes all badly malware to be rejected

but clamav-multer still miss to policy to accept or reject or quarantine
content from 3dr party sigs, its not possible to just reject official
virus malware, and keep 3dr party signature quantined or accpeted, for
later use in content controllers

sad :/

the only way it can be done now is to make clamav with 2 clamd and 2
clamav-milter each with its own settings, but that will be performance
drainers, so dont

Benny Pedersen

2018-04-20 14:19:11 UTC

Permalink

But amavisd-new still passes this ransomware archives☹

https://sanesecurity.com/foxhole-databases/

clamav do support ace testing, it just need signatures

please share ransomware to virustotal.com and clamav

join sanesecurity mailling lists

Continue reading on narkive:

Search results for 'detect and block ACE archive' (Questions and Answers)

replies

Why does my computer freeze when I try to open this one specific folder?

started 2007-04-14 12:59:38 UTC

computers & internet

replies

why is my laptop running so slow?

started 2006-09-15 01:35:39 UTC

laptops & notebooks

replies

why my pc is slow?