1 Topic by jack

  • jack
  • Member
  • Offline
  • Registered: 2015-01-13
  • Posts: 22

Topic: Reject Encrypted Zip Files

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: CentOS: 7.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): I think Nginx...
- Manage mail accounts with iRedAdmin-Pro? 2.9
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have one customer somehow overtaken and sending encrypted Zip files to her contact list.  The beauty is that the filters bypass encrypted files with the comment UNCHECKED.  Thanks so much...

First, does anyone have info how to stop this virus/worm?  The latest I saw was:

   Hello
   See the attached document...
   zip password 1234567
   Don't hesitate to ask me any questions.

Second, at the moment I want to stop any encrypted files that bypass my system.  What is the best way to do this.  I'm confused by the amavis.conf but maybe it's in Spamassassin.

Please help...

--- Jack

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Reject Encrypted Zip Files

I found one sample config file shipped on Ubuntu (/etc/amavis/conf.d/15-av_scanners), but i didn't test it myself. Hope it works for you:

- on your CentOS 7, open file /etc/amavisd/amavisd.conf, find setting like below:

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Add one more line (in red):

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Restart amavisd service and send a testing email with encrypted file.

Let me know whether it works for you.

3 Reply by jack

  • jack
  • Member
  • Offline
  • Registered: 2015-01-13
  • Posts: 22

Re: Reject Encrypted Zip Files

ZhangHuangbin wrote:

I found one sample config file shipped on Ubuntu (/etc/amavis/conf.d/15-av_scanners), but i didn't test it myself. Hope it works for you:

- on your CentOS 7, open file /etc/amavisd/amavisd.conf, find setting like below:

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Add one more line (in red):

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Restart amavisd service and send a testing email with encrypted file.

Let me know whether it works for you.

Thanks, but unfortunately that stopped non-encrypted zip files.

--- Jack

4 Reply by jitendra.sharma

  • jitendra.sharma
  • Member
  • Offline
  • Registered: 2022-07-07
  • Posts: 20

Re: Reject Encrypted Zip Files

I have configured the following.
@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);


But still password protected mail is going and receiving

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Reject Encrypted Zip Files

jitendra.sharma wrote:

But still password protected mail is going and receiving

Turn on debug mode in amavisd and read the log lines to figure out why it works this way.
FYI https://docs.iredmail.org/debug.amavisd.html

6 Reply by jitendra.sharma

  • jitendra.sharma
  • Member
  • Offline
  • Registered: 2022-07-07
  • Posts: 20

Re: Reject Encrypted Zip Files

Dear Team,
Is there any solution to block password protected file.