How do I verify that the archive is corrupt if MailMarshal (SEG) or ECM fails to unpack an archive attachment?


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange 7.X

Question:

How do I verify that the archive is corrupt if SEG or ECM fails to unpack an archive attachment?

 

Causes:

MailMarshal uses external utilities to unpack the various archives (e.g. ZIP, RAR, TAR, ARJ, etc.) which it handles. For example 7za.exe (7-zip) is used to unpack all ZIP files, and unarj.exe is used to unpack ARJ files. These unpacking executables can all be found in the MailMarshal install folder. 

In some cases, when MailMarshal is attempting to unpack an archive file (such as ZIP or RAR), the external unpacker used can itself fail to perform the unpacking. In this case MailMarshal will deadletter the message with an unpacking error.

 

  • Tip: Typically the result from the 7zip unpacker for corrupt archives is exit code (2)

 

Note: In early versions of MailMarshal SMTP 6.0, the action in this case was to continue processing. This is a potentially dangerous situation which could allow unscanned content through the filter.

You may wish to confirm, independently of MailMarshal, that the archive file is indeed in some way corrupt - in effect it is impossible to unpack. You can perform manual checks on the archive file in order to clearly establish that the issue lies with the external unpacker's ability to unpack the file.

The errors that you see in the MailMarshal Message logs in the event of a deadletter will typically look something like this:

Event - Unpack for B423069370000.000000000001.0001.mml caught exception <Error unpacking C:\Program Files\NetIQ\MailMarshal\Unpacking\T1\U2\rarfile.rar, exit code (3)>
Event - Unpack for B4224e0100000.000000000001.0004.mml caught exception <Error unpacking C:\Program Files\NetIQ\MailMarshal\Unpacking\T2\U3\zipfile.zip, exit code (1)>

Note in particular the exit code () - this number is the return code of the unpacker, which we will examine more closely below.

 

Procedure:

Step 1 - Extract the archive file from the message.

There are various ways to retrieve the attachment in the offending message.

WARNING: MailMarshal has been unable to unpack and scan this message for viruses, and therefore there is a chance that the attachment may be infected with a virus. Please exercise all appropriate caution when handling such files. We recommend that you do not attempt to run any executables extracted from the archive.

Be aware that the unpacking failure could be due to risk of directory traversal attack and in this case simply unpacking the file could overwrite files in any folder on your computer. For more information, see Q10654 (ZIP vulnerability) and Q11450 (ARJ vulnerability).

  • If the message is already in your inbox, then simply save the attachment to a safe location (a folder which can serve as a testing area) on a safe workstation (not the MailMarshal server).
  • If the message is currently in the Deadletter folder or in a quarantine folder, then view the message in the Console. Select the Details tab, then select the top component in the tree - this will be the message file itself, with the long number like B422cd1bb0000.422cd1bc0000.0001. Right-click on this message file and save the file. Copy the file to a safe location. Change the file extension to .UUE and then open it with Winzip. The UUE file should contain your archive - extract your archive.

Step 2 - Unpack the archive from the command line.

Once we have the suspect archive available for testing we then run the correct tool for unpacking it. The intent here is to manually mimic MailMarshal operation and to closely observe the resultant behavior.

For safety, copy the needed unpacking executables from the MailMarshal server to your safe working environment (the same folder as the archive files). 

For each of the following archive types run the executable from the command line with the arguments listed. Note that archivename.* refers to the name of the archive file you are attempting to unpack.

MailMarshal SMTP 6.4 and above; MailMarshal Exchange 7.X:

  • ZIP, ARJ, RAR, GZIP, TAR:
    • 7za -x archivename.zip
  • LZH file
    • unstuff -d -q archivename.lzh
  • SIT file
    • unstuff -d -q archivename.sit
MailMarshal SMTP earlier versions:
  • ZIP file:
    • unzip -oq archivename.zip
  • ARJ file
    • unarj x archivename.arj
  • RAR file
    • unrar x -c- -p- -r -o+ -av- archivename.rar
  • GZIP file
    • gzip -d -g -o archivename.gz
  • TAR file
    • tar -xf archivename.tar
  • LZH file
    • unstuff -d -q archivename.lzh
  • SIT file
    • unstuff -d -q archivename.sit

If the unpacker generates any error or warning during unpacking then MailMarshal will deadletter the message. The unpacker will also return a non-zero error value which will be reported in the MailMarshal message logs as exit code (x). To display this error value on screen after running the unpack executable, type:

  • echo %errorlevel%

A problem encountered at the command line should give a clear indication as to why MailMarshal is failing to unpack the zip file. The errors observed should align with the errors you see in the Message and Engine log.

There is effectively nothing MailMarshal can do to unpack these messages - as such the only safe thing to do is Dead Letter these messages.

Note:

Current versions of SEG provide "Dead Letter Rules" that allow you to automate handling of dead lettered messages. You can choose to pass some messages through unscanned. You should carefully consider the need and risk.

This article was previously published as:

NETIQKB46086

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10533.aspx