GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Scanning Virus in ZIP (Scanning Virus in ZIP)
Scanning Virus in ZIP [message #116675] Tue, 14 October 2014 14:40 Go to next message
pcgrafix is currently offline  pcgrafix
Messages: 15
Registered: January 2012
Location: Belgium
Hi,

It seems that the antivirus scanner (or filetype scanner) is not checking a ZIP file.
An attachment(zip) with a file inside .scr was send to the user mailbox.

I thought Kerio was also checking inside a ZIP file.

Thanks


Horemans Tom
PC GRAFIX
Re: Scanning Virus in ZIP [message #116676 is a reply to message #116675] Tue, 14 October 2014 15:39 Go to previous messageGo to next message
Grabsteinschubser is currently offline  Grabsteinschubser
Messages: 64
Registered: May 2013
Location: Berlin
Kerio is checking insinde zip files but sometimes the viruses are newer than the pattern of the antivirus scanner. You can check this at virustotal.com (and if your antivirus vendor can not find any virus you can/should send an example to your antivirus vendor - e.g. Sophos)
Re: Scanning Virus in ZIP [message #116677 is a reply to message #116676] Tue, 14 October 2014 15:45 Go to previous messageGo to next message
pcgrafix is currently offline  pcgrafix
Messages: 15
Registered: January 2012
Location: Belgium
Thanks for your quick reply.
Shouldn't kerio also not check inside the ZIP (with the attachment filter option)


Horemans Tom
PC GRAFIX
Re: Scanning Virus in ZIP [message #116712 is a reply to message #116677] Wed, 15 October 2014 10:46 Go to previous messageGo to next message
phil_w is currently offline  phil_w
Messages: 9
Registered: March 2005
Location: UK
I've posted my frustration on this very recently. The anti-virus is proving to be pretty useless. The argument seems to always be that a virus coming in is "too new" to be spotted. Desktop Sophos just caught this this one that Connect had missed...

http:// www.sophos.com/en-us/threat-center/threat-analyses/viruses-a nd-spyware/Mal~Generic-S.aspx
Re: Scanning Virus in ZIP [message #116714 is a reply to message #116712] Wed, 15 October 2014 10:48 Go to previous messageGo to next message
phil_w is currently offline  phil_w
Messages: 9
Registered: March 2005
Location: UK
Think I'm going to have look at a separate gateway before the mailserver. Unfortunately another minus point that helps my CEO's want to move to Hosted Exchange Sad
Re: Scanning Virus in ZIP [message #116717 is a reply to message #116714] Wed, 15 October 2014 11:00 Go to previous messageGo to next message
pcgrafix is currently offline  pcgrafix
Messages: 15
Registered: January 2012
Location: Belgium
I got a reply from SOPHOS:

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

VOICE1311865.scr -- identity created/updated (New detection Troj/Ransom-AMO)
4434929.exe_ADS_AlternateDataS~ -- non-malicious
4434929.exe -- identity created/updated (New detection Troj/Ransom-AMO)
VOICE949-893-4839.zip -- archive file


Horemans Tom
PC GRAFIX
Re: Scanning Virus in ZIP [message #116718 is a reply to message #116712] Wed, 15 October 2014 11:02 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
"Generic S" infection is a generic response from cloud Sophos Live Protection service. It is not related to virus definitions.
With next Kerio Connect version the integrated Sophos antivirus will also use Sophos Live Protection so the protection will be on par with the desktop version.


Re: Scanning Virus in ZIP [message #116719 is a reply to message #116718] Wed, 15 October 2014 11:07 Go to previous messageGo to next message
phil_w is currently offline  phil_w
Messages: 9
Registered: March 2005
Location: UK
That's good news Pavel Smile

Are we talking 8.4?
Re: Scanning Virus in ZIP [message #116720 is a reply to message #116719] Wed, 15 October 2014 11:44 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
phil_w wrote on Wed, 15 October 2014 11:07
That's good news Pavel Smile

Are we talking 8.4?


Yes.


Re: Scanning Virus in ZIP [message #116747 is a reply to message #116675] Thu, 16 October 2014 00:59 Go to previous messageGo to next message
graeme is currently offline  graeme
Messages: 38
Registered: October 2013
Not that we are affected much or at all since we have a specialist product before Kerio.

A simple way to block a large chunk would be able to filter not virus scan extensions within RAR, ZIP, 7ZIP etc.

If you can block cmd, bat, exe, scr, java etc you can stop a large chunk of mass mail malware.

Any plans to release checking within archives? So many people have mentioned this also.
Re: Scanning Virus in ZIP [message #116763 is a reply to message #116675] Thu, 16 October 2014 12:37 Go to previous messageGo to next message
BMAdmin is currently offline  BMAdmin
Messages: 21
Registered: July 2013
Location: UK
Can this feature be added at some stage. We too are having to quarantine ZIP files until they are manually checked due to them containing unrecognised executables.
Re: Scanning Virus in ZIP [message #116768 is a reply to message #116719] Thu, 16 October 2014 15:25 Go to previous messageGo to next message
Pavel Špalek (Kerio)
Messages: 270
Registered: May 2010
Sophos Live Protection implementation in Connect was rescheduled to 8.4.1 to ensure the quality of delivered product. Thank you for understanding.

Pavel Špalek
developer - Kerio Connect
Re: Scanning Virus in ZIP [message #116769 is a reply to message #116768] Thu, 16 October 2014 15:41 Go to previous messageGo to next message
graeme is currently offline  graeme
Messages: 38
Registered: October 2013
Forget AV if you can filter by end file ext you can nab most.
Barracuda cloud service has done that for months.
New Sophos will help as direct database lookup.
Re: Scanning Virus in ZIP [message #120426 is a reply to message #116769] Wed, 01 April 2015 17:25 Go to previous messageGo to next message
Machete
Messages: 187
Registered: February 2012
Location: United States
Just to confirm from the first reply of this post -

- Connect does scan inside .zip attachments for Virus? I just had a user open an .exe that inside a zip file and I'm now evaluating where the holes are in my protection - in addition to her desktop AV not being up to date somehow...

- Does Connect scan inside .zip attachments for blocked file types? I have ZIPs allowed - but block .exe's
Re: Scanning Virus in ZIP [message #120427 is a reply to message #116675] Wed, 01 April 2015 17:29 Go to previous messageGo to previous message
ComputerBudda is currently offline  ComputerBudda
Messages: 112
Registered: January 2013
Location: DFW - USA
I treat all zip attachments like malware, send the original mail to the user w/o the zip attachment. Send the original mail with attachment to a special email address that the administrator has access to. The user knows to go to the administrator if they need the attachment. 90% of attached zip files are an attempt to infect.
Previous Topic: User Rights by using "Another Mailbox"
Next Topic: Webmail server not responding after upgrade to 8.4.0
Goto Forum:
  


Current Time: Fri Feb 03 14:56:11 CET 2023

Total time taken to generate the page: 0.02257 seconds