Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

ZIP Quarantine before Antivirus!

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Web & Mail Security] >> GFI MailSecurity >> ZIP Quarantine before Antivirus! Page: [1]
Login
Message << Older Topic   Newer Topic >>
ZIP Quarantine before Antivirus! - 20.Jul.2004 10:13:00 AM   
g.bevan

 

Posts: 9
Joined: 19.Jul.2004
Status: offline 		Hi,

Just had a virus slip through the net (Bagle variant) because the payload was a password protected ZIP file (Toy.zip). Mail Security Quarantined the file before the virus scanners could "see" it.

Fortunately, our desktop AV caught the file when I attempted to download it from the remote moderator client.

From this it would appear as though the virus scanners run after the decompression engine. Would it be possible to change this so the virus scanning happens first, or would this mean compressed archives would not get scanned?

Thanks - Grahame.
Post #: 1
RE: ZIP Quarantine before Antivirus! - 21.Jul.2004 12:51:00 PM   
Dave D

 

Posts: 4
Joined: 20.Jul.2004
From: San Diego, CA
Status: offline
quote:
Originally posted by Grahame:
...Just had a virus slip through the net (Bagle variant) because the payload was a password protected ZIP file (Toy.zip).
Yup... me too. I spent all day yesterday tracing the message back to the source. I am still not done with my analysis, but it appears that my mail security box was blocking this virus but allowed this one through.

I have dismissed that another POP3 or HTTP connection imported the virus. This is a pure exchange 2000 environment protected by a gateway computer on another subnet.

The virus made it all the way to the user's desktop penetrating 4 layers of virus protection including Groupshield and GFI MailSecurity 8/SMTP.

It was a real blow for us in IT because we are the ones that are accountable for the virus breach.

I'm not sure yet how this virus made it in, but it sure looks like the MailSecurity product allowed it through somehow.

This is the first time we have had a known virus make it through in the 10 months we have been using the GFI product.

(in reply to g.bevan)
Post #: 2
RE: ZIP Quarantine before Antivirus! - 21.Jul.2004 3:19:00 PM   
denismac

 

Posts: 37
Joined: 2.Dec.2003
From: Oregon
Status: offline 		Same here. Of the 3500 latest Bagle variants to be captured by Mail Security in the last two days, we had reports of at least 10 getting through. Fortunately no one tried opening the attachment.
Neither the Norman/BitDeFender signatures or the Decompression engine caught them. To be on the safe side I have added zip files to quarantine.

(in reply to g.bevan)
Post #: 3
RE: ZIP Quarantine before Antivirus! - 22.Jul.2004 4:22:00 AM   
Nicks

 

Posts: 2741
Joined: 17.Mar.2003
Status: offline 		Grahame,

The Decompression engine does run before the virus scanning engines. This is done so as to provide information on the compressed files in the archive. Also, normally virus scanning software and the other MailSecurity scanning features will not be able to detect corrupted archives, password protected archives and others. Therefore it is intended that the Decompression engine will scan the emails before all the other MailSecurity modules. The order of the MailSecurity modules cannot be changed.

Dave D and DenisM,

I think that you have raised a different issue then the one encountered by Grahame. In your case, it seems that the virus did not get blocked by any module in MailSecurity. However, the following should be considered:

1. Is the attachment a virus actually? We have encountere cases where an email is received by the user. The email woudl have the format as the one sent by a virus. The email would also have an attachment, however the attachment is either 0 K or is totally corrupted and cannot be run by the user. In this case, the virus scanning engines may not be able to detect the virus, however the virus will not be able to do any harm.

2. The virus scanning engines use virus definitions to identify a virus. If the virus definitions are not up to date the virus will not be detected. This may also occur if a virus is very fast in spreading, and the virus scanning companies have not yet released virus definitions for the virus.

MailSecurity does provide other detection methods to try to block malicious content that is not detected by the virus scanning software.

Would it be possible that you send me a copy of the email that contained the virus? Please contact me at nicks@gfi.com and I will provide you with instructions on how to send me this information.

Thank you.

(in reply to g.bevan)
Post #: 4
RE: ZIP Quarantine before Antivirus! - 22.Jul.2004 6:24:00 AM   
g.bevan

 

Posts: 9
Joined: 19.Jul.2004
Status: offline 		Hi Nicholas,

Thanks for the explanation. I understand what you're saying.

I guess folks should be made aware that a quarantined, password protected zip file has not passed through the virus scanning engines and therefore could contain a virus and should be treated with care, especially if the users don't have desktop antivirus!

Grahame.

(in reply to g.bevan)
Post #: 5
RE: ZIP Quarantine before Antivirus! - 6.Aug.2004 10:02:00 AM   
ktberkey

 

Posts: 43
Joined: 1.Apr.2004
From: Jacksonville, FL
Status: offline 		I have Server AV not scan every server file come in as directed but I scan every night at 11pm. it picks up the viruses in the quarantine. I really think the virus part should be dealt with first so I don't have Viruses sitting on my server until I go through the moderator client. I have had viruses get lose from there and had to shut down the SMTP and clean up it and the Exchange server. I have the Delete any virus found Option on so I used to be under the impression that none would exist.

Just My 2 Cent

MM64

(in reply to g.bevan)
Post #: 6
RE: ZIP Quarantine before Antivirus! - 6.Aug.2004 12:08:00 PM   
bihler

 

Posts: 193
Joined: 25.Apr.2004
From: New Jersey, USA
Status: offline 		Sorry, Mailman, I don't agree. Just how did viruses get loose from your moderator client?

I go through the moderator client every day and delete the quarantined emails. The only ones I approve are usually from my Backup Exec software from one particular server.

It is obvious when the AV engine finds a virus, but if it finds an exploit it's deleted too.

If any user here has a legitimate use for a password-protected zip file, I have yet to hear about it. If MSEC picks up one, it gets deleted.

Maybe the secret for me is that I look at them, I don't set MSEC to delete automatically because then notifications are sent. It takes me less time to review and delete them than it does to explain to the same people day after day what has happened.

Martin

(in reply to g.bevan)
Post #: 7
RE: ZIP Quarantine before Antivirus! - 11.Aug.2004 10:10:00 AM   
thomasdietrich

 

Posts: 50
Joined: 14.Apr.2004
From: USA
Status: offline 		I'm sort of with BOA on this one. I set my MSEC to delete any password protected zip file it encounters. I've also got it set to delete the entire email of anything it suspects as containing a virus. As was stated, I don't want any viruses sitting on my Exchange server, in the Quarantine folder or anywhere else. These couple of settings have reduced my time processing our SpamQuarantine email box immensely.

(in reply to g.bevan)
Post #: 8
RE: ZIP Quarantine before Antivirus! - 12.Aug.2004 3:46:00 PM   
bihler

 

Posts: 193
Joined: 25.Apr.2004
From: New Jersey, USA
Status: offline 		Thomas,
You say that you have it delete any password protected files it encounters, but doesn't this send a notification to the recipient?

This is what happened when I turned on the delete option for emails with viruses. I ended up spending more time on the phone answering questions about the notifications than I would have spent reviewing and deleting them.

Martin

(in reply to g.bevan)
Post #: 9
RE: ZIP Quarantine before Antivirus! - 16.Aug.2004 9:55:00 AM   
joestern

 

Posts: 273
Joined: 18.Sep.2003
From: Philadelphia, PA
Status: offline 		Martin -

Are you deleting the e-mail, or the virus-infected attached file?

When I delete e-mails containing viruses or password-protected ZIPs, no notification is sent to the recipient.

If I deleted attached files, on the other hand, my users would receive the original e-mail with a GFI securitynotice.txt attachment, which upsets them.

(in reply to g.bevan)
Post #: 10
RE: ZIP Quarantine before Antivirus! - 17.Aug.2004 11:02:00 AM   
bihler

 

Posts: 193
Joined: 25.Apr.2004
From: New Jersey, USA
Status: offline 		Joe,
When I delete them manually I delete the entire mail, unless of course I hit the wrong button, or forget and hit the Delete key, but I have requested that GFI allow us to customise the menu bar to try and prevent this.

What happened was, I turned on the delete infected files option as I was satisfied that it was working but then the users were receiving a notification. As you say, they don't like that.

So, easier for me to quarantine and then sort and delete manually.

Martin

(in reply to g.bevan)
Post #: 11
Page:   [1]
All Forums >> [Web & Mail Security] >> GFI MailSecurity >> ZIP Quarantine before Antivirus! Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts