Some document formats identify as ZIP archives when looked at by
file/magic. This includes Apple numbers, pages and keys filetypes and
some Microsoft Office XML format documents which are generated by
third-party tools (seen with a PDF conversion tool). This causes AMaViS
to unpack them and hand the individual content snippets as samples to
Peekaboo which prevents us from doing a proper analysis. There is no
direct way to prevent this. There is an option
keep_decoded_original_maps which would apply to all ZIP archives and do
an additional analysis on all of them as well.
But as with all of AMaViS, we can hook some functions creatively to
introduce a list with overrides. There we can also decide to prevent
unpacking altogether or tell AMaViS to do the unpacking but additionally
hand the original, unmodified file to the virus scanner.
This change adds such a filtering decoder for ZIPs and introduces two
lists of regexes to override the default of unpacking and removing the
original archive with either declaring the original as atomic and
unpackable so it's passed to virus scanners verbatim or do the unpacking
but tell AMaViS to keep the original and pass that as well.
Jack28
commented
4 years ago
Some document formats identify as ZIP archives when looked at by file/magic. This includes Apple numbers, pages and keys filetypes and some Microsoft Office XML format documents which are generated by third-party tools (seen with a PDF conversion tool). This causes AMaViS to unpack them and hand the individual content snippets as samples to Peekaboo which prevents us from doing a proper analysis. There is no direct way to prevent this. There is an option keep_decoded_original_maps which would apply to all ZIP archives and do an additional analysis on all of them as well.
But as with all of AMaViS, we can hook some functions creatively to introduce a list with overrides. There we can also decide to prevent unpacking altogether or tell AMaViS to do the unpacking but additionally hand the original, unmodified file to the virus scanner.
This change adds such a filtering decoder for ZIPs and introduces two lists of regexes to override the default of unpacking and removing the original archive with either declaring the original as atomic and unpackable so it's passed to virus scanners verbatim or do the unpacking but tell AMaViS to keep the original and pass that as well.
Closes #64.