1

Topic: Reject Encrypted Zip Files

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: CentOS: 7.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): I think Nginx...
- Manage mail accounts with iRedAdmin-Pro? 2.9
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have one customer somehow overtaken and sending encrypted Zip files to her contact list.  The beauty is that the filters bypass encrypted files with the comment UNCHECKED.  Thanks so much...

First, does anyone have info how to stop this virus/worm?  The latest I saw was:

   Hello
   See the attached document...
   zip password 1234567
   Don't hesitate to ask me any questions.

Second, at the moment I want to stop any encrypted files that bypass my system.  What is the best way to do this.  I'm confused by the amavis.conf but maybe it's in Spamassassin.

Please help...

--- Jack

2

Re: Reject Encrypted Zip Files

I found one sample config file shipped on Ubuntu (/etc/amavis/conf.d/15-av_scanners), but i didn't test it myself. Hope it works for you:

- on your CentOS 7, open file /etc/amavisd/amavisd.conf, find setting like below:

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Add one more line (in red):

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Restart amavisd service and send a testing email with encrypted file.

Let me know whether it works for you.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Reject Encrypted Zip Files

ZhangHuangbin wrote:

I found one sample config file shipped on Ubuntu (/etc/amavis/conf.d/15-av_scanners), but i didn't test it myself. Hope it works for you:

- on your CentOS 7, open file /etc/amavisd/amavisd.conf, find setting like below:

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Add one more line (in red):

@av_scanners = (
    ['clamav-socket',
     \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

- Restart amavisd service and send a testing email with encrypted file.

Let me know whether it works for you.

Thanks, but unfortunately that stopped non-encrypted zip files.

--- Jack