[SOLVED] RAR with EXE

Report bugs and workarounds
Post Reply
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

[SOLVED] RAR with EXE

Post by DemonRok »

Hi to all, today i'm having this issue: .rar file with compressed .exe aren't blocked like .zip with compressed .exe

in my /usr/bin/, unrar exist and working correctly in bash.

any idea?

thanks for all!
Last edited by DemonRok on 16 Jun 2015 21:56, edited 1 time in total.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: RAR with EXE

Post by shawniverson »

When you run a file -i against the RAR, is it actually a RAR archive?
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: RAR with EXE

Post by DemonRok »

unrar -i fatt_0031845907.rar do nothing

Code: Select all

UNRAR 5.00 beta 3 freeware      Copyright (c) 1993-2013 Alexander Roshal

Usage:     unrar <command> -<switch 1> -<switch N> <archive> <files...>
               <@listfiles...> <path_to_extract\>

<Commands>
  e             Extract files without archived paths
  l[t[a],b]     List archive contents [technical[all], bare]
  p             Print file to stdout
  t             Test archive files
  v[t[a],b]     Verbosely list archive contents [technical[all],bare]
  x             Extract files with full path

<Switches>
  -             Stop switches scanning
  @[+]          Disable [enable] file lists
  ad            Append archive name to destination path
  ag[format]    Generate archive name using the current date
  ai            Ignore file attributes
  ap<path>      Set path inside archive
  c-            Disable comments show
  cfg-          Disable read configuration
  cl            Convert names to lower case
  cu            Convert names to upper case
  dh            Open shared files
  ep            Exclude paths from names
  ep3           Expand paths to full including the drive letter
  f             Freshen files
  id[c,d,p,q]   Disable messages
  ierr          Send all messages to stderr
  inul          Disable all messages
  kb            Keep broken extracted files
  n<file>       Additionally filter included files
  n@            Read additional filter masks from stdin
  n@<list>      Read additional filter masks from list file
  o[+|-]        Set the overwrite mode
  or            Rename files automatically
  ow            Save or restore file owner and group
  p[password]   Set password
  p-            Do not query password
  r             Recurse subdirectories
  sl<size>      Process files with size less than specified
  sm<size>      Process files with size more than specified
  ta<date>      Process files modified after <date> in YYYYMMDDHHMMSS format
  tb<date>      Process files modified before <date> in YYYYMMDDHHMMSS format
  tn<time>      Process files newer than <time>
  to<time>      Process files older than <time>
  ts<m,c,a>[N]  Save or restore file time (modification, creation, access)
  u             Update files
  v             List all volumes
  ver[n]        File version control
  vp            Pause before each volume
  x<file>       Exclude specified file
  x@            Read file names to exclude from stdin
  x@<list>      Exclude files listed in specified list file
  y             Assume Yes on all queries
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: RAR with EXE

Post by DemonRok »

unrar e fatt_0031845907.rar

Code: Select all

UNRAR 5.00 beta 3 freeware      Copyright (c) 1993-2013 Alexander Roshal


Extracting from fatt_0031845907.rar

Extracting  fatt_0031845907_checked_5awg557dfc8ea4a20.exe             OK
All OK
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: RAR with EXE

Post by shawniverson »

Ok.

Next....

Is MailScanner set to scan rar archives like this?

Code: Select all

Unrar Command = /usr/bin/unrar
Unrar Timeout = 50
Maximum Archive Depth = 3
Maximum Archive depth can be different depending on how deep you go. 0 disables this.
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: RAR with EXE

Post by DemonRok »

Well.

in my /etc/MailScanner/MailScanner.conf

Code: Select all

Archives Are = zip rar ole
Unrar Command = /usr/bin/unrar
Unrar Timeout = 50
Maximum Archive Depth = 8
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

[SOLVED] RAR with EXE

Post by DemonRok »

take a look there...

http://lists.mailscanner.info/pipermail ... 02236.html

and do the following:

Code: Select all

sudo yum remove unrar
sudo wget https://s3.amazonaws.com/mailborder/releases/stable/4.1.0/unrar-4.2.3-1.el6.rf.x86_64.rpm
sudo rpm -Uvh unrar-4.2.3-1.el6.rf.x86_64.rpm
With unrar-4.2.3 rar files are processed and scanned.

Now Rar with Exe was blocked again on my efa server! :twisted:
Last edited by DemonRok on 18 Jun 2015 06:42, edited 2 times in total.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [SOLVED] RAR with EXE

Post by shawniverson »

DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: [SOLVED] RAR with EXE

Post by DemonRok »

User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: [SOLVED] RAR with EXE

Post by darky83 »

Is it possible for you to do some more testing?
I created an RPM from the latest unrar version (5.2.7)

Is it possible to test if this one works for you?
(if not you can revert back to the other one)

Code: Select all

https://dl.efa-project.org/rpm/CentOS/6/testing/x86_64/unrar-5.2.7-1.el6.x86_64.rpm
Also do you have an specific test case?
In my tests I noticed that with the 5.0.3 version files are checked, so maybe I am testing it different then you are.
Version eFa 4.x now available!
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: [SOLVED] RAR with EXE

Post by DemonRok »

today i'm tring it!
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: [SOLVED] RAR with EXE

Post by DemonRok »

darky83 wrote:Is it possible for you to do some more testing?
I created an RPM from the latest unrar version (5.2.7)

Is it possible to test if this one works for you?
(if not you can revert back to the other one)

Code: Select all

https://dl.efa-project.org/rpm/CentOS/6/testing/x86_64/unrar-5.2.7-1.el6.x86_64.rpm
Also do you have an specific test case?
In my tests I noticed that with the 5.0.3 version files are checked, so maybe I am testing it different then you are.
Mail was delivered and not scanned with 5.2.7 too, going back to 4.2.3
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: [SOLVED] RAR with EXE

Post by darky83 »

Can you explain how and what you test exactly ? I want to reproduce it :)
Version eFa 4.x now available!
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: [SOLVED] RAR with EXE

Post by DemonRok »

darky83 wrote:Can you explain how and what you test exactly ? I want to reproduce it :)
i sent email to my efa. Attach was rar with simple w32 .exe file on it.
PM me your email, i'll sent you copy of the email.
Exe is not virus...
DemonRok
Posts: 25
Joined: 02 Apr 2014 06:26

Re: [SOLVED] RAR with EXE

Post by DemonRok »

LOG from /var/log/maillog

with unrar 4.2.3

Code: Select all

sudo less /var/log/maillog | grep CEE1B10252B.A199A
Jun 22 12:46:12 mx2 MailScanner[10774]: Filename Checks: Windows/DOS Executable (CEE1B10252B.A199A Capture2Text.exe)
Jun 22 12:46:12 mx2 MailScanner[10774]: Filetype Checks: No executables (CEE1B10252B.A199A Capture2Text.exe)
Jun 22 12:46:12 mx2 MailScanner[10774]: Saved entire message to /var/spool/MailScanner/quarantine/20150622/CEE1B10252B.A199A
Jun 22 12:46:13 mx2 MailScanner[10774]: Saved infected "Capture2Text.rar" to /var/spool/MailScanner/quarantine/20150622/CEE1B10252B.A199A
Jun 22 12:46:13 mx2 MailScanner[10774]: Saved infected "Capture2Text.exe" to /var/spool/MailScanner/quarantine/20150622/CEE1B10252B.A199A
Jun 22 12:46:15 mx2 MailScanner[10774]: Requeue: CEE1B10252B.A199A to C6952102537
Jun 22 12:46:15 mx2 MailScanner[10774]: Logging message CEE1B10252B.A199A to SQL
with unrar 5.2.7

Code: Select all

sudo less /var/log/maillog | grep E2AD91029E0.AEA74
Jun 22 12:44:02 mx2 MailScanner[10774]: Requeue: E2AD91029E0.AEA74 to B99FD10252B
Jun 22 12:44:02 mx2 MailScanner[10774]: Logging message E2AD91029E0.AEA74 to SQL
There is any other log to take a look?
EnricoGTT
Posts: 33
Joined: 09 Jun 2014 07:24

Re: [SOLVED] RAR with EXE

Post by EnricoGTT »

I had the same issue and I have solved with new unrar version. :D

Thanks

Best regards
Enrico
Ramas
Posts: 9
Joined: 25 Apr 2016 20:16

Re: [SOLVED] RAR with EXE

Post by Ramas »

Hi,

Seems to be there are still problems with UNRAR v5 in EFA 3.0.0.9.
With unrar v4.2 working as expected.
I think issue are in space in filename in RAR archive.

With unrar-4.2.3-1.el6.rf.x86_64 in maillog:

Code: Select all

Apr 25 22:39:03 smtp MailScanner[28852]: New Batch: Scanning 1 messages, 1115919 bytes
Apr 25 22:39:03 smtp MailScanner[28852]: Filename Checks: Windows/DOS Executable (4413FA0056.A1FAB sample 1.exe)
Apr 25 22:39:03 smtp MailScanner[28852]: Filetype Checks: No executables (4413FA0056.A1FAB sample 1.exe)
Apr 25 22:39:03 smtp MailScanner[28852]: Other Checks: Found 2 problems
Apr 25 22:39:03 smtp MailScanner[28852]: Virus and Content Scanning: Starting
Apr 25 22:39:05 smtp MailScanner[28852]: Spam Checks: Starting
Apr 25 22:39:05 smtp MailScanner[28852]: Whitelist refresh time reached
Apr 25 22:39:05 smtp MailScanner[28852]: Starting up SQL Whitelist
Apr 25 22:39:05 smtp MailScanner[28852]: Read 92 whitelist entries
Apr 25 22:39:07 smtp MailScanner[28852]: Deleted 1 messages from processing-database
Apr 25 22:39:07 smtp MailScanner[28852]: Logging message 4413FA0056.A1FAB to SQL
Apr 25 22:39:07 smtp MailScanner[1132]: 4413FA0056.A1FAB: Logged to MailWatch SQL
With unrar-5.0.3-1.el6.rf.x86_64 maillog:

Code: Select all

Apr 25 22:20:31 smtp MailScanner[28852]: New Batch: Scanning 1 messages, 1115916 bytes
Apr 25 22:20:31 smtp MailScanner[28852]: Virus and Content Scanning: Starting
Apr 25 22:20:32 smtp MailScanner[28852]: Spam Checks: Starting
Apr 25 22:20:36 smtp MailScanner[28852]: Requeue: A3A29A0056.A264A to D89DFA0057
Output from UNRAR v5:

Code: Select all

unrar v -p- "sample(1) 3D.rar"
UNRAR 5.00 beta 3 freeware      Copyright (c) 1993-2013 Alexander Roshal

Archive: sample(1) 3D.rar
Details: RAR 4

 Attributes      Size    Packed Ratio   Date   Time   Checksum  Name
----------- ---------  -------- ----- -------- -----  --------  ----
    ..A....    907264    812324  89%  24-04-16 18:38  80C3FDC5  sample 1.exe
----------- ---------  -------- ----- -------- -----  --------  ----
               907264    812324  89%                            1
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [SOLVED] RAR with EXE

Post by shawniverson »

Hmm....I will check this and report back. Could be a bug in the new v5 parser.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [SOLVED] RAR with EXE

Post by shawniverson »

Ramas
Posts: 9
Joined: 25 Apr 2016 20:16

Re: [SOLVED] RAR with EXE

Post by Ramas »

Hi,
Here I am again with unrar V5.
Today our customer received e-mail with RAR archive attachment.
Inside RAR archive executable .exe file.
Our mail policy - no executables in email, but Mailscanner (E.F.A.) that e-mail not blocked.
Output ftrom unrar with attached file in that e-mail:

Code: Select all

 unrar v -p- 'offical PO and SC no 10_Pdf.rar'

UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal

Archive: offical PO and SC no 10_Pdf.rar
Details: RAR 4

 Attributes      Size    Packed Ratio   Date   Time   Checksum  Name
----------- ---------  -------- ----- -------- -----  --------  ----
    ..A....   1314816    681138  51%  16-11-16 10:57  D7444A4F  offical PO and SC no 10_Pdf.exe
----------- ---------  -------- ----- -------- -----  --------  ----
              1314816    681138  51%                            1
My suggestion for code changes in Mailscanner (... MailScanner/perl/MailScanner/Message.pm):

Code: Select all

--- Message.pm.bak<---->2016-11-16 14:15:38.240733800 +0200
+++ Message.pm<>2016-11-16 15:24:01.695851594 +0200
@@ -3140,7 +3140,7 @@
         $Stuff = $what;
         $Stuff =~ s/^\s+|\s+$//g;
         chomp($Stuff);
-        my ($RAttrib,$RSize,$RPacked,$RRatio,$RDate,$RTime,$RCrc,$RName) = split /\s+/, $Stuff;
+        my ($RAttrib,$RSize,$RPacked,$RRatio,$RDate,$RTime,$RCrc,$RName) = split /\s+/, $Stuff, 8;
         $memb .= "$RName\n";
         $Stuff = '';
       }
Correct Me If Im Wrong.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [SOLVED] RAR with EXE

Post by shawniverson »

Post Reply