Zimbra

SiliconJunkie · #1 (**permalink**) 03-04-2010, 07:11 AM

For the past two days, messages with FakeAlert in an attachment have gotten past antivirus and placed into the Spam/Junk folder in mailboxes. AVG on individual workstations detects the threat and locks down Zimbra Desktop or Outlook application from sync-ing new mail from the mailbox.

Users are having to open their mailbox via the web mail interface, and manually delete the infected message from the Spam/Junk folder before their regular mail client (ZD or Outlook with ZCO) will re-sync with the server.

What can we do to combat this threat?

My setup: ZCS 5.0.18 GA Network Edition on Ubuntu Server 6.06 LTS w/ ClamAV 0.95.1

Definitions are seeming to be updated every two hours, according to clamd.log in /opt/zimbra/log/clamd.log.

bluezebra · #2 (**permalink**) 03-04-2010, 09:08 AM

check zmcontrol status and see if your antivirus and antispam are running

SiliconJunkie · #3 (**permalink**) 03-04-2010, 09:18 AM

That was the first thing I did, and yes, it is running.

bluezebra · #4 (**permalink**) 03-04-2010, 09:27 AM

Is this happening to all attachments? or particularly any? I had such an issue for the docx attachments which was fixed after clearing the "wmf" extension filter from amavisd.conf and postfix_header_checks

SiliconJunkie · #5 (**permalink**) 03-05-2010, 06:16 AM

We got another one this morning at 8:01 EST.

They have all been .ZIP files. The messages have all been of the "UPS Delivery Notification" variety that have a .ZIP file attachment with the virus payload.

This is getting to be annoying. I'm thinking that the only way to deal with this short term is to add .ZIP files to the reject list, and advise users.

FakeAlert has been around a while, how come ClamAV cannot deal with this as the messages come in at the server?

Mike From Markham · #6 (**permalink**) 03-05-2010, 06:18 AM

omg I just had this exact same thing happen 2 days ago as well. Avg completly locked zimbra desktop after finding a thraet in something like /store/0/1/... Now zimbra desktop is completly locked for one of my users as avg "healed" the file... I'm guessing I'll have to blow away the profile and re-add it again

SiliconJunkie · #7 (**permalink**) 03-05-2010, 06:34 AM

Yeah, this is a real problem, and I wish someone from Zimbra would comment, or offer some insight on this. I'm about to burn a support ticket on it.

uxbod · #8 (**permalink**) 03-05-2010, 08:17 AM

Check to make sure your clamd definitions are indeed up to date. I get plenty of those ones through and all blocked

Quote:

Subject: UPS Delivery Problem NR 59926.
MessageID: DEA76398839F.A90C0
Quarantine:
Report: Clamd: UPS_invoice_528.zip was infected: Suspect.Bredozip-zippwd-5
Sophos: >>> Virus 'Mal/FakeAV-BW' found in file ./DEA76398839F.A90C0/UPS_invoice_528.zip/UPS_invoice_528.exe
Sophos: >>> Virus 'Troj/BredoZp-S' found in file ./DEA76398839F.A90C0/UPS_invoice_528.zip
F-Prot6: [Found virus] <W32/Bredolab!Generic2 (not disinfectable)> ./DEA76398839F.A90C0/UPS_invoice_528.zip->UPS_invoice_528.exe
Sophos: >>> Virus 'Mal/FakeAV-BW' found in file ./DEA76398839F.A90C0/UPS_invoice_528.exe
F-Prot6: [Found virus] <W32/Bredolab!Generic2> ./DEA76398839F.A90C0/UPS_invoice_528.exe

Mike From Markham · #9 (**permalink**) 03-05-2010, 08:25 AM

Stupid question but how do you infact check if definitions are up to date or not...

uxbod · #10 (**permalink**) 03-05-2010, 08:39 AM

Code:

su - zimbra
view /opt/zimbra/log/freshclam.log

Check that it has been updated recently.

Zimbra

Downloads

Product Information

Toolbox

Why Join?