Question about AntiVirus

[rainer_d]

Hi,

it seems that one can send through EXE files inside zip files (we will have to allow sending of zip-files, even "encrypted" ones).
But we found out that the scanner will let through EXEs etc. in zip-files.

What's the point of blocking all the stuff from the large list in the config just to let it through once it's put in a zip?
Can this be changed?


Regards,
Rainer

[dwmtractor]

This is an old problem. Fortunately there aren't a lot of hostile files going out in ZIP files right now, but a couple years ago it was bad enough that I actually DID block ZIP files because only one in about 30 or 40 was legit. At that time I was using a different filtering system, and when a legitimate one was blocked (by my firewall gateway) I merely pulled it out of quarantine.

It would be worth an RFE to scan for file extensions inside of zip files, although I don't know how complex that is from a programming standpoint--there I'll have to defer to the developers. Right now the file extension filter is a simple, one-level affair.

But in the meantime, there are two very simple workarounds you can use if you choose to block all ZIP files:

1. Have your users implement an alternative compression format for archives--LZH is a good one but there are many. You will find that most of the major archiving programs, including the free ones, will allow more than one file format.
2. Have them continue to use ZIP but rename the extension to something like ZIM, and then train your people to take ZIM files and rename them to ZIP to open them.

Neither is perfect, I'll grant, but they accomplish the security goal that I sense you may be after.

[area]

This is a big potential problem at the moment for one of my clients (Release 5.0.6_GA_2313.RHEL4_20080522102400 CentOS4 FOSS edition) which is receiving lots of the 'Fedex' virus emails.

The emails have an attachment called fedex_mNNNN.zip which contains a file called fedex_mNNNN.exe. Currently, ClamAV is not detecting this as a virus but TrendMicro's OfficeScan on the PCs are catching it.

So, even though Zimbra is configured to block .EXE attachments, this .exe is getting through.

I've blocked .zip files for the moment - and probably for the longer term until the blocking of attachment types can be extended to those within archive files.

[dwmtractor]

Please see Bug 30889 – Add within-archive extension blocking and vote for this bug if you agree.

[Krishopper]

Is it worth reporting this one to ClamAV (Clam AntiVirus) that it is making it through the scanner without being flagged? As far as I know, ClamAV should be unzipping the ZIP and scanning the files in it - at least thats what the conf/clamav.conf file implies

[bsneddon]

Until an official method for extending blocking to inside attachments is supported, I just uncommented one of the blocks in /opt/zimbra/conf/amavisd.conf.in for $banned_filename_re:
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

This lets the normal Zimbra attachment blocking work while also using the blocking in amavisd-new (which DOES support blocking files inside of archives) to specifically ban those above extensions within archives. I tried sending the very same emails that were sneaking through and the logs show it being blocked now specifically due to the embedded .exe.

I also added:
$final_banned_destiny = D_DISCARD;

To prevent backscatter since the default in amavisd-new is D_BOUNCE.

[bsneddon]

Is it worth reporting this one to ClamAV (Clam AntiVirus) that it is making it through the scanner without being flagged? As far as I know, ClamAV should be unzipping the ZIP and scanning the files in it - at least thats what the conf/clamav.conf file implies

With the latest updates, clamav wasn't even detecting the .exe as malware even though it was. There are probably so many variations that it's hard to keep up with them which is why I like the outright .exe blocking.