[SOLVED] AV scanning in RAR archives not working

A

alex_lxm

New Member
Proxmox Subscriber
Jun 10, 2020
3
1
3
Hi everyone,

I have trouble with getting PMG to detect viruses inside RAR archives.
I am using the free EICAR mail tests from Heise Security (https://www.heise.de/security/dienste/emailcheck/virendummies/rar_mit_eicar/) to test the functionality.

When sending the plain EICAR file (without it being embedded in a RAR file), PMG correctly blocks the mail. So my rule is working fine.
The mail fiter rule looks like this:
- Name: Block Virus
- Direction: in
- What objects: Virus (Type: "Virus Filter", Value: "active")
- Action Objects: Notify Admin, Quarantine

However, this rule does not fire when sending the EICAR file inside a RAR archive.

From another thread here (click) I already saw that the package "p7zip-rar" should be installed, which I did; unfortunately, the result is still the same.

If I upload the RAR attachment to the PMG VM, I can manually extract the RAR file using
unrar e eicar.rar
and then scan the eicar.com file using
clamscan eicar.com

The EICAR file is then correctly recognized by ClamAV:
eicar.com: Win.Test.EICAR_HDB-1 FOUND

However, if I run clamscan on the RAR file itself, it does not detect anything.

If I run clamconf, I can see the following output:
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-AOJLfo/clamav-0.102.3+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-AOJLfo/clamav-0.102.3+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-AOJLfo/clamav-0.102.3+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'

Notice the --disable-unrar.

I also verified that p7zip can correctly handle RAR archives, by executing 7z e eicar.rar, which can extract the RAR file successfully.

At this point, I am out of ideas.
Can anyone help me?

Thanks and regards
Alexander
 
tl;dr:
enable the contrib and non-free components of debian's repositories and:
Code: 
apt install libclamunrar p7zip-rar

the rar format is a proprietary file-format and the various decompressors cannot be released by debian in their main repository - see https://www.debian.org/doc/debian-policy/ch-archive#s-non-free

since the antivirus scan's the complete mail you need the liblamunrar package for that part - the p7zip-rar part is for the archive-filters in the rule system.

I hope this helps!
 
Hi Stoiko,

thanks for your help.
Indeed, libclamunrar was not yet installed. I ran the installation and checked if clamscan was now able to detect the EICAR file inside the RAR archive:
> clamscan eicar.rar
eicar.rar: Win.Test.EICAR_HDB-1 FOUND

So the ClamAV part looks good now!
However, the the mail filter rule still does not fire...

I did two tests, one with EICAR inside a ZIP and one inside a RAR. Here are the differences in mail.log:

ZIP:
postfix/smtpd[24099]: E56DB4C0088: client=web.heise.de[193.99.144.71]
postfix/cleanup[23410]: E56DB4C0088: message-id=<E1jj0kM-0000L6-QW.octo13@web.heise.de>
postfix/qmgr[1060]: E56DB4C0088: from=<emailcheck-robot@ct.de>, size=2588, nrcpt=1 (queue active)
pmg-smtp-filter[4443]: 2020/06/10-15:26:26 CONNECT TCP Peer: "[127.0.0.1]:38686" Local: "[127.0.0.1]:10024"
pmg-smtp-filter[4443]: 4C008F5EE0DF82E83FC: new mail message-id=<E1jj0kM-0000L6-QW.octo13@web.heise.de>#012
postfix/smtpd[24099]: disconnect from web.heise.de[193.99.144.71] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
pmg-smtp-filter[4443]: 4C008F5EE0DF82E83FC: virus detected: Win.Test.EICAR_HDB-1 (clamav)
pmg-smtp-filter[4443]: 4C008F5EE0DF82E83FC: SA score=0/5 time=0.621 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.016),JMQ_SPF_NEUTRAL(0.5),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)

RAR:
postfix/smtpd[24099]: 8D1234C0088: client=web.heise.de[193.99.144.71]
postfix/cleanup[23410]: 8D1234C0088: message-id=<E1jj0jH-0007zK-Ee.octo07@web.heise.de>
postfix/qmgr[1060]: 8D1234C0088: from=<emailcheck-robot@ct.de>, size=2524, nrcpt=1 (queue active)
pmg-smtp-filter[4443]: 2020/06/10-15:25:19 CONNECT TCP Peer: "[127.0.0.1]:38670" Local: "[127.0.0.1]:10024"
pmg-smtp-filter[4443]: 4C008F5EE0DF3F91DE5: new mail message-id=<E1jj0jH-0007zK-Ee.octo07@web.heise.de>#012
postfix/smtpd[24099]: disconnect from web.heise.de[193.99.144.71] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
pmg-smtp-filter[4443]: 4C008F5EE0DF3F91DE5: SA score=0/5 time=0.958 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.017),JMQ_SPF_NEUTRAL(0.5),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)

For some reason, clamav does not detect anything in the second case... or maybe PMG does not even invoke clamav? I'm not sure...

Regards
Alexander
 
pmg-smtp-filter invokes clamdscan (which talks with the clamav-daemon clamd) - you need to restart clamav-daemon.

Worked here in my tests

I hope this helps!
 
Glad that worked out - thanks for marking the thread as SOLVED
 
Hello, i also want to install the rar-unpacker.
but when i wil install i become the error message:
root@mta:~# apt install libclamunrar p7zip-rar
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package p7zip-rar is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Package libclamunrar is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'libclamunrar' has no installation candidate
E: Package 'p7zip-rar' has no installation candidate

Waht can i do?
thanks thomas
 
Hy, now i have anable the contrib and non-free components of debians repository.
i mak a file under /etc/apt/source.list.d

Now i got the same error

FIle clamav_contrib_non-free.list
Code: 
deb http://deb.debian.org/debian buster main contrib non-free
deb-src http://deb.debian.org/debian buster main contrib non-free

deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free

deb http://deb.debian.org/debian buster-updates main contrib non-free
deb-src http://deb.debian.org/debian buster-updates main contrib non-free
 
post the complete output of:
Code: 
apt update
apt install libclamunrar p7zip-rar
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom