[Mimedefang] Block executables in 7Z archive - solution

Tomasz Ostrowski tometzky at batory.org.pl
Thu Oct 8 07:36:23 EDT 2015

We're getting a lot of trojan executables in 7Z archives lately. Like 
this one:

I've added a code to my mimedefang-filter based on 
suggested-minimum-filter-for-windows-clients in filter_bad_filename 
which tests for this. I'd like to share:

# Look inside 7Z files
if (re_match($entity, '\.7z$') ) {
     my $bh = $entity->bodyhandle();
     if (defined($bh)) {
         my $path = $bh->path();
         if (defined($path)) {
             my($code, $category, $action) =
                 run_virus_scanner( "7za l -slt -bd -p -y -- $path" );
                 if ($action ne 'proceed') {
                     return $code;
                 if ($code) {
                     return $code;
                 return 1 if $VirusScannerMessages =~ /$re/im;

This requires 7za program (from p7zip package) installed on server. This 
will also block 7z archives with encrypted filenames.

...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
                                                       Winnie the Pooh

More information about the MIMEDefang mailing list