Malicious file found in the container by AWS GuardDuty

joeneldeasis commented 1 year ago

Issue

Malicious file found by AWS GuardDuty in the running container.

Name: Trojan.GenericKDS.32546895
Severity: HIGH
Hash: 227e4efbfac42ce935039c1c7b8681f80a9b43ef1e1171b74d53ec7691a1b185
File path: /var/lib/docker/overlay2/1a352ccc5a5f4410eb37477fec0905bdcd11eeb7a8371b361640fe395012a1b4/diff/opt/postal/app/resource/virus-message.msg=>[Subject: Picture 94][Date: Wed, 05 Oct 2016 22:15:41 +0700]=>Picture 94.zip
File name: virus-message.msg=>[Subject: Picture 94][Date: Wed, 05 Oct 2016 22:15:41 +0700]=>Picture 94.zip

To Reproduce

Deploy postal on EC2 instance then AWS GuardDuty will detect the file /var/lib/docker/overlay2/xxxxxxxxxxxx/diff/opt/postal/app/resource/virus-message.msg in the container as malicious file.

Environment details

OS: Amazon Linux 2023 (6.1.41-63.114.amzn2023.x86_64)

Additional information/context

Tried submitting the file to VirusTotal which located in resource/virus-message.msg the repo and the detection rate is 30/59. VirusTotal Link: https://www.virustotal.com/gui/file/ab162c2bb1eca728b926f238d6a2441c6384490d0bc703c916016c2d3e5df622

willpower232 commented 1 year ago

That is hilarious nobody has spotted that before now, thankfully the email messages in that folder don't seem to be used. Presumably they were for manual testing at some point.

I think that folder could be added to a .dockerignore and the file in question removed or replaced with an EICAR based one.

patchthecode commented 1 year ago

...so this was an actual virus??

catphish commented 10 months ago

Yes, this is an real virus. It appears to be a real email received by aTech at some point. We must have included it for testing. It won't do any harm unless you open it, download its attachment and run it, but it would probably be replaced with a EICAR file. It is also perfectly safe to delete it from your install.

postalserver / postal