Results 1 to 7 of 7

Thread: Question about AntiVirus

  1. #1
    rainer_d is offline Intermediate Member
    Join Date
    Jul 2008
    Location
    Zurich
    Posts
    17
    Rep Power
    7

    Post Question about AntiVirus

    Hi,

    it seems that one can send through EXE files inside zip files (we will have to allow sending of zip-files, even "encrypted" ones).
    But we found out that the scanner will let through EXEs etc. in zip-files.

    What's the point of blocking all the stuff from the large list in the config just to let it through once it's put in a zip?
    Can this be changed?


    Regards,
    Rainer

  2. #2
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    This is an old problem. Fortunately there aren't a lot of hostile files going out in ZIP files right now, but a couple years ago it was bad enough that I actually DID block ZIP files because only one in about 30 or 40 was legit. At that time I was using a different filtering system, and when a legitimate one was blocked (by my firewall gateway) I merely pulled it out of quarantine.

    It would be worth an RFE to scan for file extensions inside of zip files, although I don't know how complex that is from a programming standpoint--there I'll have to defer to the developers. Right now the file extension filter is a simple, one-level affair.

    But in the meantime, there are two very simple workarounds you can use if you choose to block all ZIP files:

    1. Have your users implement an alternative compression format for archives--LZH is a good one but there are many. You will find that most of the major archiving programs, including the free ones, will allow more than one file format.
    2. Have them continue to use ZIP but rename the extension to something like ZIM, and then train your people to take ZIM files and rename them to ZIP to open them.
    Neither is perfect, I'll grant, but they accomplish the security goal that I sense you may be after.
    Cheers,

    Dan

  3. #3
    area is offline Active Member
    Join Date
    Feb 2006
    Posts
    47
    Rep Power
    9

    Default

    This is a big potential problem at the moment for one of my clients (Release 5.0.6_GA_2313.RHEL4_20080522102400 CentOS4 FOSS edition) which is receiving lots of the 'Fedex' virus emails.

    The emails have an attachment called fedex_mNNNN.zip which contains a file called fedex_mNNNN.exe. Currently, ClamAV is not detecting this as a virus but TrendMicro's OfficeScan on the PCs are catching it.

    So, even though Zimbra is configured to block .EXE attachments, this .exe is getting through.

    I've blocked .zip files for the moment - and probably for the longer term until the blocking of attachment types can be extended to those within archive files.

  4. #4
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Please see Bug 30889 – Add within-archive extension blocking and vote for this bug if you agree.
    Cheers,

    Dan

  5. #5
    Krishopper is offline Dedicated Member
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    9

    Default

    Is it worth reporting this one to ClamAV (Clam AntiVirus) that it is making it through the scanner without being flagged? As far as I know, ClamAV should be unzipping the ZIP and scanning the files in it - at least thats what the conf/clamav.conf file implies

  6. #6
    bsneddon is offline Junior Member
    Join Date
    Dec 2007
    Posts
    9
    Rep Power
    7

    Default

    Until an official method for extending blocking to inside attachments is supported, I just uncommented one of the blocks in /opt/zimbra/conf/amavisd.conf.in for $banned_filename_re:
    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

    This lets the normal Zimbra attachment blocking work while also using the blocking in amavisd-new (which DOES support blocking files inside of archives) to specifically ban those above extensions within archives. I tried sending the very same emails that were sneaking through and the logs show it being blocked now specifically due to the embedded .exe.

    I also added:
    $final_banned_destiny = D_DISCARD;

    To prevent backscatter since the default in amavisd-new is D_BOUNCE.

  7. #7
    bsneddon is offline Junior Member
    Join Date
    Dec 2007
    Posts
    9
    Rep Power
    7

    Default

    Quote Originally Posted by Krishopper View Post
    Is it worth reporting this one to ClamAV (Clam AntiVirus) that it is making it through the scanner without being flagged? As far as I know, ClamAV should be unzipping the ZIP and scanning the files in it - at least thats what the conf/clamav.conf file implies
    With the latest updates, clamav wasn't even detecting the .exe as malware even though it was. There are probably so many variations that it's hard to keep up with them which is why I like the outright .exe blocking.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. antivirus trouble
    By owl700 in forum Administrators
    Replies: 1
    Last Post: 04-08-2008, 01:34 AM
  2. Replies: 45
    Last Post: 11-28-2007, 06:39 PM
  3. AntiVirus unable to connect to localhost
    By net4home in forum Administrators
    Replies: 15
    Last Post: 07-25-2007, 05:55 PM
  4. AntiVirus won't run - error accessing mail queues
    By mrambo3501 in forum Administrators
    Replies: 2
    Last Post: 07-25-2007, 08:45 AM
  5. Multiple Domains Question
    By kristiaan_d in forum Administrators
    Replies: 2
    Last Post: 03-14-2007, 04:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •