Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-05-2008, 08:15 AM
Intermediate Member
 
Posts: 17
Post Question about AntiVirus

Hi,

it seems that one can send through EXE files inside zip files (we will have to allow sending of zip-files, even "encrypted" ones).
But we found out that the scanner will let through EXEs etc. in zip-files.

What's the point of blocking all the stuff from the large list in the config just to let it through once it's put in a zip?
Can this be changed?


Regards,
Rainer
Reply With Quote
  #2 (permalink)  
Old 08-05-2008, 10:28 AM
Moderator
 
Posts: 1,027
Default

This is an old problem. Fortunately there aren't a lot of hostile files going out in ZIP files right now, but a couple years ago it was bad enough that I actually DID block ZIP files because only one in about 30 or 40 was legit. At that time I was using a different filtering system, and when a legitimate one was blocked (by my firewall gateway) I merely pulled it out of quarantine.

It would be worth an RFE to scan for file extensions inside of zip files, although I don't know how complex that is from a programming standpoint--there I'll have to defer to the developers. Right now the file extension filter is a simple, one-level affair.

But in the meantime, there are two very simple workarounds you can use if you choose to block all ZIP files:
  1. Have your users implement an alternative compression format for archives--LZH is a good one but there are many. You will find that most of the major archiving programs, including the free ones, will allow more than one file format.
  2. Have them continue to use ZIP but rename the extension to something like ZIM, and then train your people to take ZIM files and rename them to ZIP to open them.
Neither is perfect, I'll grant, but they accomplish the security goal that I sense you may be after.
__________________
Cheers,

Dan
Reply With Quote
  #3 (permalink)  
Old 08-17-2008, 08:03 PM
Active Member
 
Posts: 47
Default

This is a big potential problem at the moment for one of my clients (Release 5.0.6_GA_2313.RHEL4_20080522102400 CentOS4 FOSS edition) which is receiving lots of the 'Fedex' virus emails.

The emails have an attachment called fedex_mNNNN.zip which contains a file called fedex_mNNNN.exe. Currently, ClamAV is not detecting this as a virus but TrendMicro's OfficeScan on the PCs are catching it.

So, even though Zimbra is configured to block .EXE attachments, this .exe is getting through.

I've blocked .zip files for the moment - and probably for the longer term until the blocking of attachment types can be extended to those within archive files.
Reply With Quote
  #4 (permalink)  
Old 08-18-2008, 11:42 AM
Moderator
 
Posts: 1,027
Default

Please see Bug 30889 – Add within-archive extension blocking and vote for this bug if you agree.
__________________
Cheers,

Dan
Reply With Quote
  #5 (permalink)  
Old 08-19-2008, 03:40 AM
Outstanding Member
 
Posts: 705
Default

Is it worth reporting this one to ClamAV (Clam AntiVirus) that it is making it through the scanner without being flagged? As far as I know, ClamAV should be unzipping the ZIP and scanning the files in it - at least thats what the conf/clamav.conf file implies
Reply With Quote
  #6 (permalink)  
Old 10-15-2008, 10:31 AM
Junior Member
 
Posts: 9
Default

Until an official method for extending blocking to inside attachments is supported, I just uncommented one of the blocks in /opt/zimbra/conf/amavisd.conf.in for $banned_filename_re:
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

This lets the normal Zimbra attachment blocking work while also using the blocking in amavisd-new (which DOES support blocking files inside of archives) to specifically ban those above extensions within archives. I tried sending the very same emails that were sneaking through and the logs show it being blocked now specifically due to the embedded .exe.

I also added:
$final_banned_destiny = D_DISCARD;

To prevent backscatter since the default in amavisd-new is D_BOUNCE.
Reply With Quote
  #7 (permalink)  
Old 10-15-2008, 10:34 AM
Junior Member
 
Posts: 9
Default

Quote:
Originally Posted by Krishopper View Post
Is it worth reporting this one to ClamAV (Clam AntiVirus) that it is making it through the scanner without being flagged? As far as I know, ClamAV should be unzipping the ZIP and scanning the files in it - at least thats what the conf/clamav.conf file implies
With the latest updates, clamav wasn't even detecting the .exe as malware even though it was. There are probably so many variations that it's hard to keep up with them which is why I like the outright .exe blocking.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.