[SOLVED] RAR with EXE
[SOLVED] RAR with EXE
Hi to all, today i'm having this issue: .rar file with compressed .exe aren't blocked like .zip with compressed .exe
in my /usr/bin/, unrar exist and working correctly in bash.
any idea?
thanks for all!
in my /usr/bin/, unrar exist and working correctly in bash.
any idea?
thanks for all!
Last edited by DemonRok on 16 Jun 2015 21:56, edited 1 time in total.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: RAR with EXE
When you run a file -i against the RAR, is it actually a RAR archive?
Re: RAR with EXE
unrar -i fatt_0031845907.rar do nothing
Code: Select all
UNRAR 5.00 beta 3 freeware Copyright (c) 1993-2013 Alexander Roshal
Usage: unrar <command> -<switch 1> -<switch N> <archive> <files...>
<@listfiles...> <path_to_extract\>
<Commands>
e Extract files without archived paths
l[t[a],b] List archive contents [technical[all], bare]
p Print file to stdout
t Test archive files
v[t[a],b] Verbosely list archive contents [technical[all],bare]
x Extract files with full path
<Switches>
- Stop switches scanning
@[+] Disable [enable] file lists
ad Append archive name to destination path
ag[format] Generate archive name using the current date
ai Ignore file attributes
ap<path> Set path inside archive
c- Disable comments show
cfg- Disable read configuration
cl Convert names to lower case
cu Convert names to upper case
dh Open shared files
ep Exclude paths from names
ep3 Expand paths to full including the drive letter
f Freshen files
id[c,d,p,q] Disable messages
ierr Send all messages to stderr
inul Disable all messages
kb Keep broken extracted files
n<file> Additionally filter included files
n@ Read additional filter masks from stdin
n@<list> Read additional filter masks from list file
o[+|-] Set the overwrite mode
or Rename files automatically
ow Save or restore file owner and group
p[password] Set password
p- Do not query password
r Recurse subdirectories
sl<size> Process files with size less than specified
sm<size> Process files with size more than specified
ta<date> Process files modified after <date> in YYYYMMDDHHMMSS format
tb<date> Process files modified before <date> in YYYYMMDDHHMMSS format
tn<time> Process files newer than <time>
to<time> Process files older than <time>
ts<m,c,a>[N] Save or restore file time (modification, creation, access)
u Update files
v List all volumes
ver[n] File version control
vp Pause before each volume
x<file> Exclude specified file
x@ Read file names to exclude from stdin
x@<list> Exclude files listed in specified list file
y Assume Yes on all queries
Re: RAR with EXE
unrar e fatt_0031845907.rar
Code: Select all
UNRAR 5.00 beta 3 freeware Copyright (c) 1993-2013 Alexander Roshal
Extracting from fatt_0031845907.rar
Extracting fatt_0031845907_checked_5awg557dfc8ea4a20.exe OK
All OK
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: RAR with EXE
Ok.
Next....
Is MailScanner set to scan rar archives like this?
Maximum Archive depth can be different depending on how deep you go. 0 disables this.
Next....
Is MailScanner set to scan rar archives like this?
Code: Select all
Unrar Command = /usr/bin/unrar
Unrar Timeout = 50
Maximum Archive Depth = 3
Re: RAR with EXE
Well.
in my /etc/MailScanner/MailScanner.conf
in my /etc/MailScanner/MailScanner.conf
Code: Select all
Archives Are = zip rar ole
Unrar Command = /usr/bin/unrar
Unrar Timeout = 50
Maximum Archive Depth = 8
[SOLVED] RAR with EXE
take a look there...
http://lists.mailscanner.info/pipermail ... 02236.html
and do the following:
With unrar-4.2.3 rar files are processed and scanned.
Now Rar with Exe was blocked again on my efa server!
http://lists.mailscanner.info/pipermail ... 02236.html
and do the following:
Code: Select all
sudo yum remove unrar
sudo wget https://s3.amazonaws.com/mailborder/releases/stable/4.1.0/unrar-4.2.3-1.el6.rf.x86_64.rpm
sudo rpm -Uvh unrar-4.2.3-1.el6.rf.x86_64.rpm
Now Rar with Exe was blocked again on my efa server!
Last edited by DemonRok on 18 Jun 2015 06:42, edited 2 times in total.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [SOLVED] RAR with EXE
!!!!shawniverson wrote:https://github.com/E-F-A/v3/issues/200
Re: [SOLVED] RAR with EXE
Is it possible for you to do some more testing?
I created an RPM from the latest unrar version (5.2.7)
Is it possible to test if this one works for you?
(if not you can revert back to the other one)
Also do you have an specific test case?
In my tests I noticed that with the 5.0.3 version files are checked, so maybe I am testing it different then you are.
I created an RPM from the latest unrar version (5.2.7)
Is it possible to test if this one works for you?
(if not you can revert back to the other one)
Code: Select all
https://dl.efa-project.org/rpm/CentOS/6/testing/x86_64/unrar-5.2.7-1.el6.x86_64.rpm
In my tests I noticed that with the 5.0.3 version files are checked, so maybe I am testing it different then you are.
Version eFa 4.x now available!
Re: [SOLVED] RAR with EXE
Mail was delivered and not scanned with 5.2.7 too, going back to 4.2.3darky83 wrote:Is it possible for you to do some more testing?
I created an RPM from the latest unrar version (5.2.7)
Is it possible to test if this one works for you?
(if not you can revert back to the other one)
Also do you have an specific test case?Code: Select all
https://dl.efa-project.org/rpm/CentOS/6/testing/x86_64/unrar-5.2.7-1.el6.x86_64.rpm
In my tests I noticed that with the 5.0.3 version files are checked, so maybe I am testing it different then you are.
Re: [SOLVED] RAR with EXE
Can you explain how and what you test exactly ? I want to reproduce it
Version eFa 4.x now available!
Re: [SOLVED] RAR with EXE
i sent email to my efa. Attach was rar with simple w32 .exe file on it.darky83 wrote:Can you explain how and what you test exactly ? I want to reproduce it
PM me your email, i'll sent you copy of the email.
Exe is not virus...
Re: [SOLVED] RAR with EXE
LOG from /var/log/maillog
with unrar 4.2.3
with unrar 5.2.7
There is any other log to take a look?
with unrar 4.2.3
Code: Select all
sudo less /var/log/maillog | grep CEE1B10252B.A199A
Jun 22 12:46:12 mx2 MailScanner[10774]: Filename Checks: Windows/DOS Executable (CEE1B10252B.A199A Capture2Text.exe)
Jun 22 12:46:12 mx2 MailScanner[10774]: Filetype Checks: No executables (CEE1B10252B.A199A Capture2Text.exe)
Jun 22 12:46:12 mx2 MailScanner[10774]: Saved entire message to /var/spool/MailScanner/quarantine/20150622/CEE1B10252B.A199A
Jun 22 12:46:13 mx2 MailScanner[10774]: Saved infected "Capture2Text.rar" to /var/spool/MailScanner/quarantine/20150622/CEE1B10252B.A199A
Jun 22 12:46:13 mx2 MailScanner[10774]: Saved infected "Capture2Text.exe" to /var/spool/MailScanner/quarantine/20150622/CEE1B10252B.A199A
Jun 22 12:46:15 mx2 MailScanner[10774]: Requeue: CEE1B10252B.A199A to C6952102537
Jun 22 12:46:15 mx2 MailScanner[10774]: Logging message CEE1B10252B.A199A to SQL
Code: Select all
sudo less /var/log/maillog | grep E2AD91029E0.AEA74
Jun 22 12:44:02 mx2 MailScanner[10774]: Requeue: E2AD91029E0.AEA74 to B99FD10252B
Jun 22 12:44:02 mx2 MailScanner[10774]: Logging message E2AD91029E0.AEA74 to SQL
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [SOLVED] RAR with EXE
I had the same issue and I have solved with new unrar version.
Thanks
Best regards
Enrico
Thanks
Best regards
Enrico
Re: [SOLVED] RAR with EXE
Hi,
Seems to be there are still problems with UNRAR v5 in EFA 3.0.0.9.
With unrar v4.2 working as expected.
I think issue are in space in filename in RAR archive.
With unrar-4.2.3-1.el6.rf.x86_64 in maillog:
With unrar-5.0.3-1.el6.rf.x86_64 maillog:
Output from UNRAR v5:
Seems to be there are still problems with UNRAR v5 in EFA 3.0.0.9.
With unrar v4.2 working as expected.
I think issue are in space in filename in RAR archive.
With unrar-4.2.3-1.el6.rf.x86_64 in maillog:
Code: Select all
Apr 25 22:39:03 smtp MailScanner[28852]: New Batch: Scanning 1 messages, 1115919 bytes
Apr 25 22:39:03 smtp MailScanner[28852]: Filename Checks: Windows/DOS Executable (4413FA0056.A1FAB sample 1.exe)
Apr 25 22:39:03 smtp MailScanner[28852]: Filetype Checks: No executables (4413FA0056.A1FAB sample 1.exe)
Apr 25 22:39:03 smtp MailScanner[28852]: Other Checks: Found 2 problems
Apr 25 22:39:03 smtp MailScanner[28852]: Virus and Content Scanning: Starting
Apr 25 22:39:05 smtp MailScanner[28852]: Spam Checks: Starting
Apr 25 22:39:05 smtp MailScanner[28852]: Whitelist refresh time reached
Apr 25 22:39:05 smtp MailScanner[28852]: Starting up SQL Whitelist
Apr 25 22:39:05 smtp MailScanner[28852]: Read 92 whitelist entries
Apr 25 22:39:07 smtp MailScanner[28852]: Deleted 1 messages from processing-database
Apr 25 22:39:07 smtp MailScanner[28852]: Logging message 4413FA0056.A1FAB to SQL
Apr 25 22:39:07 smtp MailScanner[1132]: 4413FA0056.A1FAB: Logged to MailWatch SQL
Code: Select all
Apr 25 22:20:31 smtp MailScanner[28852]: New Batch: Scanning 1 messages, 1115916 bytes
Apr 25 22:20:31 smtp MailScanner[28852]: Virus and Content Scanning: Starting
Apr 25 22:20:32 smtp MailScanner[28852]: Spam Checks: Starting
Apr 25 22:20:36 smtp MailScanner[28852]: Requeue: A3A29A0056.A264A to D89DFA0057
Code: Select all
unrar v -p- "sample(1) 3D.rar"
UNRAR 5.00 beta 3 freeware Copyright (c) 1993-2013 Alexander Roshal
Archive: sample(1) 3D.rar
Details: RAR 4
Attributes Size Packed Ratio Date Time Checksum Name
----------- --------- -------- ----- -------- ----- -------- ----
..A.... 907264 812324 89% 24-04-16 18:38 80C3FDC5 sample 1.exe
----------- --------- -------- ----- -------- ----- -------- ----
907264 812324 89% 1
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [SOLVED] RAR with EXE
Hmm....I will check this and report back. Could be a bug in the new v5 parser.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [SOLVED] RAR with EXE
Hi,
Here I am again with unrar V5.
Today our customer received e-mail with RAR archive attachment.
Inside RAR archive executable .exe file.
Our mail policy - no executables in email, but Mailscanner (E.F.A.) that e-mail not blocked.
Output ftrom unrar with attached file in that e-mail:
My suggestion for code changes in Mailscanner (... MailScanner/perl/MailScanner/Message.pm):
Correct Me If Im Wrong.
Here I am again with unrar V5.
Today our customer received e-mail with RAR archive attachment.
Inside RAR archive executable .exe file.
Our mail policy - no executables in email, but Mailscanner (E.F.A.) that e-mail not blocked.
Output ftrom unrar with attached file in that e-mail:
Code: Select all
unrar v -p- 'offical PO and SC no 10_Pdf.rar'
UNRAR 5.21 freeware Copyright (c) 1993-2015 Alexander Roshal
Archive: offical PO and SC no 10_Pdf.rar
Details: RAR 4
Attributes Size Packed Ratio Date Time Checksum Name
----------- --------- -------- ----- -------- ----- -------- ----
..A.... 1314816 681138 51% 16-11-16 10:57 D7444A4F offical PO and SC no 10_Pdf.exe
----------- --------- -------- ----- -------- ----- -------- ----
1314816 681138 51% 1
Code: Select all
--- Message.pm.bak<---->2016-11-16 14:15:38.240733800 +0200
+++ Message.pm<>2016-11-16 15:24:01.695851594 +0200
@@ -3140,7 +3140,7 @@
$Stuff = $what;
$Stuff =~ s/^\s+|\s+$//g;
chomp($Stuff);
- my ($RAttrib,$RSize,$RPacked,$RRatio,$RDate,$RTime,$RCrc,$RName) = split /\s+/, $Stuff;
+ my ($RAttrib,$RSize,$RPacked,$RRatio,$RDate,$RTime,$RCrc,$RName) = split /\s+/, $Stuff, 8;
$memb .= "$RName\n";
$Stuff = '';
}
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact: