block attachment in zip

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

block attachment in zip

Post by tochi » 2015-10-29 00:45

From what I observed, 99% if not 100% of viruses are embedded in zip files. Some even use Pdf icon as its program icon. With extension hidden by Windows default, many users believe they are harmless Pdf files. So I wish hmailserver can examine zip files. GMail simply rejects email if there's any executable file in a zip. hmailserver should block either the single file in a zip or entire zip file if it contains any file with extensions listed in the block attachments setting. It would be nice if hmailserver can examine other format of compressed files but it's not necessary. Because only zip is naively supported by Windows and virus emails are only in zip files. With this suggested option, I think email virus issue can be greatly reduced.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-10-29 01:14

HMS has the ability to block ZIP as attachments entirely. Doesnt this suffice and achieve the same thing? Also, if you have a decent AV solution it should be able to examine the contents of a ZIP file (if you are allowing them through).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-10-29 01:28

No. Blocking zip directly is not a good idea. People need to send zip files because it reduces file size and/or reduces file count. Since most virus emails are zero-hour type, they can not be detected by antivirus when they arrive hmailserver. Gmail doesn't send or receive zip files with executables for good reasons. And it doesn't block zip without executable files.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-10-29 10:35

tochi wrote:So I wish hmailserver can examine zip files
It is simply infeasible and impractical.

As admin, you have the choice of limiting attachment sizes and depending in the nature of your business you might be accepting Zip files that are 10's or 100's of MB (or even GB's) big. And consequently, you are then saying that every email with a Zip file attached needs to be UNZIPPED before then individually examined.

So whats the difference between this and receiving emails without the Zip file (and just having the individual files attached?) Well one major difference is that HMS now has to do an extra process of unzipping a file in to some temporary area which needs extra processing time, extra disk space, and extra security risk because it is already now opening a zip. What happens when the Zip file is password protected? Then, although you say most viruses are 'Zero hour', its not always and certainly no guarantee to be; there is the risk that your server AV software then detects that unzipped virus file (in the temporary unzipped directory) and deals with it according to its own settings (which interferes with HMS and its own AV process). And of course its not really feasible to tell your realtime protection to exclude the windows temporary directory as that is almost certainly where all viruses will take its shoes off and start its havoc. Assuming HMS does find an banned attachment within the Zip file, and going down the "hmailserver should block either the single file" route, it then needs to recreate the Zip file without the attachment (more time and resources) before reattaching to the existing email (somehow). It all looks like a heavy drain on system resources and time (can you imagine if your business involves receiving almost every email with Zip attachments?) Far too much can go wrong......IMO. :wink:
tochi wrote:People need to send zip files because it reduces file size and/or reduces file count
Yes, this is true. But as you know finding a balance between operability and security is always a challenge and you always have to make compromises in both. If your business heavily relies on Zip files for this reason then you your options would be:
a, accept them and rely on a decnt CLIENT pc Antivirus to detect the virus when it is finally opened by the user (of course, you would be doing this anyway, right? :wink: ) OR
b, Ban Zip files because you acknowledge the risks they pose and make provision to allow people to send in files (compressed or otherwise) by some other means (eg, a company 'dropbox' type) OR
c, Tell users to use a different zip format (7Zip etc) - ive never heard of viruses using non-standard windows Zip compression. Of course, this still isnt secure: what if the (innocent/naive) users doesnt know the file/document they are manually sending to you has a hidden virus (time bomb or macro based)?

Just saying.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-10-29 11:31

I believe that directory of a zip file can be retrieved without unzipping entire zip file. So the performance impact is minimum. Even if the file needs to be opened to examine (nested zip), it can still be processed without utilizing much processor power because virus emails are very small. They are all less than 100KB. We can have an option like spam check to skip examining zip if file size is larger than specified value. It's fine to skip scanning password protected zip. Virus emails won't make themselves difficult to be accessed. By the way, I think you can see the file names in a password protected zip without entering password.

Usually people receive emails from everywhere, including from other companies or individuals. It's not practical to enforce your company policies to others.

During business hour, emails will be retrieved by users in minutes after receiving. If antivirus on mail server can not detect viruses, it's very likely the AV on clients can not detect them either. Decent AV on clients is useless here.

hmailserver has block attachment settings already but it's useless in my opinion. Because no one sends executable files directly, especially those virus email senders. Email viruses are all in zip files. To make it really useful, please add zip support.

User avatar
mattg
Moderator
Moderator
Posts: 20965
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: block attachment in zip

Post by mattg » 2015-10-29 14:45

Most virus scanners and AntiSPam appliances can check inside zips (something like inspect containers)

does that help??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-10-29 14:50

He said no. He reckons that Zero-hour viruses wont be detected by the AV software anyway and would rather use the 'BLOCK ATTACHMENTS' feature to look inside the Zip file (......I think!)
tochi wrote:Since most virus emails are zero-hour type, they can not be detected by antivirus when they arrive hmailserver.
tochi wrote: hmailserver has block attachment settings already but it's useless in my opinion. Because no one sends executable files directly, especially those virus email senders. Email viruses are all in zip files. To make it really useful, please add zip support.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3700
Joined: 2006-08-21 15:38
Location: Denmark

Re: block attachment in zip

Post by SorenR » 2015-10-29 18:18

I don't know what sort of business Tochi is in, but it's my experience (since email really became public back in the 90'es) that 99% of all virus and malware comes from surfing the Internet... Often "p0rn" and "buy really really cheap offer" and "cute kittens"... :mrgreen:

Image
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-10-30 00:45

jimimaseye wrote:He said no. He reckons that Zero-hour viruses wont be detected by the AV software anyway and would rather use the 'BLOCK ATTACHMENTS' feature to look inside the Zip file (......I think!)
tochi wrote:Since most virus emails are zero-hour type, they can not be detected by antivirus when they arrive hmailserver.
tochi wrote: hmailserver has block attachment settings already but it's useless in my opinion. Because no one sends executable files directly, especially those virus email senders. Email viruses are all in zip files. To make it really useful, please add zip support.
Well, I'm not reckoning. It's truth. Antivirus programs can hardly detect any virus when virus emails arrive. ClamAV+SaneSecurity is the best I've tried but it's still far from ideal. If anyone knows any AV software with decent detection rate (90% above) against email viruses when email arrive, please let me know.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-10-30 01:09

I suspect its unreasonable to expect anyone to give this information in terms of a valid comparison as most people use just one choice (2 at best) AND will have to have the unfortunate scenario where they are exposed to such threats at the same time whilst suffering at least ONE failure to prevent (how else could they make a comparison?). The best we can do is see what research says.

Now, if you were to read what the authors of such software say, many claim to be optimum at detecting Zero-hour or Zero Day threats.
http://www.mxlab.eu/en/zero_hour_anti_virus.html
MX Lab offers a true zero hour anti virus system that will protect your communication in the first moments of an outbreak and later on as new variants emerge.
http://www.avira.com/en/avira-free-antivirus
Our Protection Cloud is our early warning system, which analyzes unknown files in the cloud –
anonymously – from millions of users, to protect you from zero-day threats as they emerge in real time.
http://www.avg.com/eu-en/protection-features-pc
Delivers real-time security updates to you the moment they’re available so you’re better protected against 0-day threats.
http://www.bitdefender.co.uk/solutions/ ... urity.html
Bitdefender Total Security 2016 blocks everything from traditional viruses, worms, and Trojans to ransomware, zero-day exploits, rootkits, and spyware.
and so on.

BUT...... truth is..... who do you believe and how do you find out the truth? Independent tests? Look at 5 independent tests and they al seem to rate solutions differently. And how do they know there is a new Zero hour threat just come out to start testing for? If they had such knowledge then they should have reported it to the Antivirus solution providers to create a definition. :roll:

So to say its "the truth" is a little strong and over-egging it as there is no way of demonstrating the evidence to support it. Personally I wouldnt argue against it as a theory. In fact I suggested exactly this earlier in the thread.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-10-30 01:38

If this can't be a feature, I'll start making my own antivirus program. It simply checks if there's zip file with executable files in the specified .eml file. It returns 1 if executables found.
But I still believe hmailserver should have this feature to reduce threats easily.

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-10-30 19:59

My home made [antivirus] command line scanner is online and working fine. The scanning time is super fast. Most scanning operations are instant. Scanning an 18MB .eml file is less than 1 second.

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-10-31 07:14

1-2 days ago we've seen yet another malware as doc (Fedex notification thing..) with a macro hidden in it.
we often see pdf's and doc's inviting to click a link which leads to the actual malware (just to pass URIBL blocks).
etc...

IMO, the ultimate AV solution in a company environment is a trained user him/herself.
when we setup a new box we turn on "show extensions...".
we tell users not to open any attachment or click on anything at all when they receive an email from an unknown sender.
we tell users not to open any attachment without seeing its (or compressed contents) extension even if it's from a known sender. doc, xls, ppt, pdf are fine (can vary according to the nature of job), all the rest should be considered risky.
in either case first they must notify us.

as a result, our teams detection rate is by far superior that any known AV software :wink:
and if there is anyone who's not able to follow such short&simple instructions, the problem isn't the virus, but his/her existence in the company :lol:
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-02 10:31

Hi,

Just to cover a few points here.

I'm seeing malware (exe/scr/js) inside Zip/Rar/7z and even Ace archive formats.
I'm seeing macro malware inside doc/xls/docm formats.

(you can check my blog for more examples)

Most of the above are getting zero or very low Virustotal (3-4 scanners out of 50-ish) detection rates.

[links removed]

Is there a current setup guide for hmailserver and clamav/sanesecurity so I can check the setup?

Cheers,

Steve
Blog: sanesecurity.blogspot.co.uk
[link removed]
Last edited by jimimaseye on 2015-11-02 11:34, edited 1 time in total.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-02 11:55

Have PM'd.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-02 20:11

sanesecurity wrote:Hi,
Just to cover a few points here.
wohhooo, welcome Sir :wink:

too late for me. but still... :?:
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-02 22:10

Just an update to you all regarding this request:

After talking to Steve (above) I am currently in evaluation with ClamAV + sanesecurity extra definitions. As it happens, today there was a brand new .DOC macro virus released which I received in mail within about 80 minutes. And yet to my surprise my ClamAV (because of these extra definitions) caught it as a virus. (I also did further testing against other viruses I have on file that are months/years old that Clam fails to recognise by default and yet with Sane it caught them no problem). SO at this point it looked good.

But then to follow on the thread of Tochi's request, I put the same .DOC file (containing the macro, "PORDER.doc" google it) into a 7Z compressed file along with a 2nd innocuous .txt file and sent it in. When the email arrived ClamAV (with these definitions) was able to see WITHIN the Zip file and recognise that one of the files within it had a virus. Consequently HMS Antivirus (clamav) stripped the entire zip file from the email. This, in fact, mimicked EXACTLY the same result as Tochi requested of looking inside compressed files for dodgy files within and stripping the zip only if something is found (although it relies on reliable up-to-date Zero hour definitions - something that today's test, at least, showed was possible). See 'foxhole_all.cdb' for explanation: http://sanesecurity.com/foxhole-databases/

Ill be honest, I never thought I would see such a positive result from rotten ClamAV. Never in a blue moon would I have expected it.

(Its difficult to talk about this test without referencing the source of the definitions. I know it looks like blatant advertising but that really wasnt the point).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3700
Joined: 2006-08-21 15:38
Location: Denmark

Re: block attachment in zip

Post by SorenR » 2015-11-02 23:36

jimimaseye wrote:Just an update to you all regarding this request:

After talking to Steve (above) I am currently in evaluation with ClamAV + sanesecurity extra definitions. As it happens, today there was a brand new .DOC macro virus released which I received in mail within about 80 minutes. And yet to my surprise my ClamAV (because of these extra definitions) caught it as a virus. (I also did further testing against other viruses I have on file that are months/years old that Clam fails to recognise by default and yet with Sane it caught them no problem). SO at this point it looked good.

But then to follow on the thread of Tochi's request, I put the same .DOC file (containing the macro, "PORDER.doc" google it) into a 7Z compressed file along with a 2nd innocuous .txt file and sent it in. When the email arrived ClamAV (with these definitions) was able to see WITHIN the Zip file and recognise that one of the files within it had a virus. Consequently HMS Antivirus (clamav) stripped the entire zip file from the email. This, in fact, mimicked EXACTLY the same result as Tochi requested of looking inside compressed files for dodgy files within and stripping the zip only if something is found (although it relies on reliable up-to-date Zero hour definitions - something that today's test, at least, showed was possible).

Ill be honest, I never thought I would see such a positive result from rotten ClamAV. Never in a blue moon would I have expected it.

(Its difficult to talk about this test without referencing the source of the definitions. I know it looks like blatant advertising but that really wasnt the point).
You did see the FP rating on the foxhole databases ??? Medium to High... Did you verify with a different source that you did receive a real virus ??
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-03 00:33

Well I did raise the point to him that 'generic' and 'filename' are rated low yet the combined 'all' (seemingly featuring the two of them together) is rated medium to high. How does that happen?
SorenR wrote: You did see the FP rating on the foxhole databases ??? Medium to High... Did you verify with a different source that you did receive a real virus ??
Well, Im not willing to open it and find out. Are you?! :lol: Seriously though, yes, its a Trojan download macro: http://myonlinesecurity.co.uk/purchase- ... c-malware/ which downloads: https://www.virustotal.com/en/file/f533 ... /analysis/. Other checks: https://www.google.co.uk/search?q=porder.doc

(Am wondering what is better: a few False Positives which you can take time to trace back to sender and ask for resend, or opening a virus file because it wasnt identified as such. Hmmmmm....... maybe Im not wondering.....)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-03 10:46

(slightly veering off topic but.......

first night with new evaluation sane definitions and the overnight AV scan found 5 emails in users boxes that had previously slipped in without being picked up by native Clam default definitions - and yes, all genuine hooky.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-03 12:06

Just a quick update.

I'm working on a quick batch/rsync downloader to download the signatures you
want to use with ClamWin

In the mean time..

foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malware but will obviously also block legit files someone may
email to you.

foxhole_generic.cdb: these are *double extension* executable filenames, in Zip/Rar/7z/Cab archives, again
should be lower risk.

foxhole_filenames.cdb: these are filenames that have been known to contain malware currently and in the past, so a lower risk.

foxhole_generic.cdb and foxhole_filenames.cdb would be a good start for blocking a lot of malware
rogue.hdb will be update hourly of hashes from current emails malware
phish.ndb will block malware and phishing attempts

Cheers,

Steve
Sanesecurity.com

User avatar
SorenR
Senior user
Senior user
Posts: 3700
Joined: 2006-08-21 15:38
Location: Denmark

Re: block attachment in zip

Post by SorenR » 2015-11-03 13:53

sanesecurity wrote:Just a quick update.

I'm working on a quick batch/rsync downloader to download the signatures you
want to use with ClamWin

In the mean time..

foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malware but will obviously also block legit files someone may
email to you.

foxhole_generic.cdb: these are *double extension* executable filenames, in Zip/Rar/7z/Cab archives, again
should be lower risk.

foxhole_filenames.cdb: these are filenames that have been known to contain malware currently and in the past, so a lower risk.

foxhole_generic.cdb and foxhole_filenames.cdb would be a good start for blocking a lot of malware
rogue.hdb will be update hourly of hashes from current emails malware
phish.ndb will block malware and phishing attempts

Cheers,

Steve
Sanesecurity.com
So none of the foxhole databases contain virus signatures, it all about filenames and filenames within filenames ??

It's like banning all Volkswagens with diesel engines as some of them is known for exessive polution... :roll:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-03 14:01

It's like banning all Volkswagens with diesel engines as some of them is known for exessive polution...
While that's correct, there are a lot of Main Stream AV's doing exactly that.. let's face it,
if you have a rar file containing a file invoice.jpg.exe would you want a under running it?

You choose what signature databases(s) you are comfortable using... if you don't want to use it that's fine
but I'm trying to give people another option to there arsenal.

User avatar
SorenR
Senior user
Senior user
Posts: 3700
Joined: 2006-08-21 15:38
Location: Denmark

Re: block attachment in zip

Post by SorenR » 2015-11-03 14:10

sanesecurity wrote:
It's like banning all Volkswagens with diesel engines as some of them is known for exessive polution...
While that's correct, there are a lot of Main Stream AV's doing exactly that.. let's face it,
if you have a rar file containing a file invoice.jpg.exe would you want a under running it?

You choose what signature databases(s) you are comfortable using... if you don't want to use it that's fine
but I'm trying to give people another option to there arsenal.
Just for the record... I have been using ClamSup for over a year now - without the foxhole DB's - and it has mostly acted as a supplement to Spamassassin.

No virusses received in the last 12 months, either by freak coincidense or they may have eluded ClamAV, ClamSup and Avast all together. :wink:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-03 18:51

I guess I will agree. From my testing, this sane stuff seems quite good with Zero-hour definitions. Up to now I only ever had those retched DOC macro type files come though (undetectable by most AV's in the first few hours and undetectable by native ClamAV seemingly forever!). Not many by all means, but 1 is 1 too many. As I have ZIP and 7Z files blocked in addition to HMS recommedned list (EXE, SCR etc) I pretty much prevent most others from coming in. All other 'older' threats got caught and scored highly by Spamassassin and was dealt with by that. However, in the last 24 hours I have had 2 or 3 newly released DOC macros come in and caught by Sane immediately. All zero-hour stuff that spamassassin doesnt catch. (I am still evaluating and hopefully helping Sane with testing and feedback to make it available for Clamwin)

So yes, Sane is suplementing SA (and providing a purpose for existence to ClamAV software!)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-11-03 19:34

I didn't know foxhole databases and their default is off. They are exact what I need. Thank you guys for bringing it into my attention.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-04 19:03

SorenR wrote: So none of the foxhole databases contain virus signatures, it all about filenames and filenames within filenames ??

It's like banning all Volkswagens with diesel engines as some of them is known for exessive polution... :roll:
In fairness, there are three options to choose from

1: block all ZIPs regardless
2: block only Zips that contain files that COULD be malware
3: block zips that DO contain malware.

Up to this week, I personally just blocked the zips (1). Now with these foxhole db's I could block zips with POTENTIAL viruses (I am still evaluating it though). And this is what Tochi initially was requesting. Its true its not (3) which would give greater freedom and, whilst that may be a choice of operating and doing things, it requires another solution to what has currently been talked about here (in other words, a better AV solution). That said, I dont see what is wrong with (2) for most people because its highly unlikely anyone needs windows EXEcutables sent to them in emails. For the few that do and find it a problem for their day to day operations...then its not an option for them (and they need to fork out extra dough for a different AV solution).

As for option (2) (these foxholes) being considered 'high risk' for false positives, I guess its true in that it doesnt discriminate between a safe EXE and a malware EXE. But if the user never needs or has any business with having safe EXE's, PIFs, VB scripts etc sent to them, then the risk is pretty much zero (as any zip tey do receive is likely to be hooky). That said, Im still blocking all ZIPS regardless - I might change my mind and use the "foxhole_ALL" definition soon after Ive finished evaluating (not that it will bring much benefit to our business practice).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-11-04 20:12

sanesecurity wrote:foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malware but will obviously also block legit files someone may
email to you.

foxhole_generic.cdb: these are *double extension* executable filenames, in Zip/Rar/7z/Cab archives, again
should be lower risk.

foxhole_filenames.cdb: these are filenames that have been known to contain malware currently and in the past, so a lower risk.
jimimaseye wrote:1: block all ZIPs regardless
2: block only Zips that contain files that COULD be malware
3: block zips that DO contain malware.

What you said is not consistent with what sanesecurity described. Are you on the same page?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-04 21:53

Yes of course. (Not sure of your confusion but I will clarify).

Im saying these are OPTIONS that an administator of the mailserver has.
jimimaseye wrote:1: block all ZIPs regardless
as in: add .ZIP etc to the list of BLOCK ATTACHMENTS list in hmailserver. So simply dont allow Zips etc. At all.
jimimaseye wrote:2: block only Zips that contain files that COULD be malware
as in:
sanesecurity wrote:foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malware but will obviously also block legit files someone may
email to you.
so only block Zips that have known virus file TYPES in them

and
jimimaseye wrote:3: block zips that DO contain malware.
as in:
Get an antivirus solution that DOES scan individual files WITHIN archives for viruses (usually leading to getting your wallet out)

As an aside, I sent in a ZIP file with a single macro-virus .DOC in it and saneClam detected the file. I dont know which of the definitions was responsible for it but I dont use the 'foxhole_all.cdb' (I only have the other 2x foxhole dbs in place). But something is detecting a virus file IN a compressed file. How? I dont know, but I guess I dont care as long as it does.

EDIT:
I had forgotten that latest CLamAV actually does scan inside compressed files (I just checked to confirm). So the DOC macro virus file is simply being detected up by the definition "badmacro.ndb" (I presume) due to Clams ability to look inside zips.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-05 06:03

jimimaseye wrote:I had forgotten that latest CLamAV actually does scan inside compressed files (I just checked to confirm). So the DOC macro virus file is simply being detected up by the definition "badmacro.ndb" (I presume) due to Clams ability to look inside zips.
since i know it, ClamAV was ever doing so. clamd.congif, section #Archives:
# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes

(BTW, what is this "badmacro.ndb"?? i dont have it in data folder)

if i'm not mistaking, foxhole definitions are a set of regex trying to narrow down certain filenames and extensions. just have a look into cdb's, they're in plain text. that said:

it looks like we are judging here ClamAV being an obsolete useless crap unless you plug in some 3rd party regex support. if it's so, why use it? set up a decent anti-spam proxy such as SA or ASSP instead, switch off HM AV and antispam options, let it do its main job only. those malwares blocked by Clam-Sane won't even reach the stage of an AV-scan as they'll got classified and optionally moved to a repository or blocked at all as spam anyway (BL's, various sender validations, header/body regex, bayes, attachment check etc... but first they must pass greylisting of course). i bet you'll have better FP/FN rates compared to Clam-Sane. so you hit 2 birds with 1 stone (as we say in my country):

1) you get rid of an AV
2) you have a comprehensive antispam solution

or you look for a serious AV solution - paid or free (alternatives already discussed here extensively) - offered by industry leaders.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 09:34

katip wrote:it looks like we are judging here ClamAV being an obsolete useless crap unless you plug in some 3rd party regex support. if it's so, why use it? set up a decent anti-spam proxy such as SA or ASSP instead, switch off HM AV and antispam options, let it do its main job only. those malwares blocked by Clam-Sane won't even reach the stage of an AV-scan as they'll got classified
Youre right, thats exactly what I am doing. Clam is useless with its default definitions. (See my reasons for saying so in an extensive experiment and discussion here: viewtopic.php?f=21&t=26829). And yes it took 3rd party definitions (in this case, Sane, that I am evaluating this week) to make it worthy. But its not true that SA or ASSP makes turning off AV viable. Why? Because I already use SA! And it doe not do a complete job:

1, just like AV's they also rely on definitions being written to keep them updated which makes it equally useless to Zero hour threats (mine are updated in the evening - a good 8 or 9 hours after the 'zero-hour' threat was released) and
2, even with SA we still get various viruses through (such as .DOC macro viruses) that dont have particular patterns and/or are also often embedded within Zips. Point in proof: back in this thread:
jimimaseye wrote:After talking to Steve (above) I am currently in evaluation with ClamAV + sanesecurity extra definitions. As it happens, today there was a brand new .DOC macro virus released which I received in mail within about 80 minutes. And yet to my surprise my ClamAV (because of these extra definitions) caught it as a virus.
Where was Spamassassin saving me then?!

It is folly (and to a certain degree, irresponsible as an Administrator) to think that JUST Spamassassin (or similar) will be sufficient, or JUST "educating the users" and expecting everyone to never open things based on what they look like is enough to eliminate threats to your system (how to do you educate them to spot a dodgy .DOC file?)

So, as you say, use an AV solution. Currently I happen to think that blocking known file-types is a very good start and that is what is being discussed here (that was Tochi's point of the thread after all), supplemented by trapping KNOWN VIRUSES when they arrive by zero-hour definitions in an AV solution. And its doing a VERY good job (100% so far)
katip wrote:(BTW, what is this "badmacro.ndb"?? i dont have it in data folder)
Its part of Sanesecurity definitions.
katip wrote:since i know it, ClamAV was ever doing so. clamd.congif, section #Archives:
# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes
Well I didnt know. I thought I read it only as recent as last year. It doesnt really matter.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-05 12:36

jimimaseye wrote:It is folly (and to a certain degree, irresponsible as an Administrator) to think that JUST Spamassassin (or similar) will be sufficient
i didn't mean that SA or ASSP or similar can replace a full AV solution, of course not. i merely wanted to emphasize that using ClamAV just to read some regex from some text files isn't a true AV solution. i don't know about SA, never used, but ASSP monitors any defined attachment extension sets in 3 sender levels (unknown, known, no-processing), optionally blocking (& notifying the sender) or scoring, or has another more strict option to allow only certain extension set and block the rest & notify the sender.

but as i mentioned, in our setup (ASSP in front of HM), malware very rarely reaches the stage of AV scan, only 3-4 times this year till now for instance (daily about 10K incoming SMTP, international). it was exe zips from an infected PC of a customer (whitelisted) and zip (then) was allowed for known senders in our setup. ClamAV/Sane wasn't aware of it (5-6 months ago).

OTOH yes, we need an AV to extract and scan compressed contents, definitely.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 13:12

I think there is an (indirect) agreement amongst us all here that there are multi-levels of protection regarding emails and attachments, and that the more heavy handed they are the better the protection would be.

I think in order of efficacy it would be:
  • 1, Dont have email - (100% guarantee and immediate results)

    2, Dont allow attachments in email - (not quite 100% because of risks to hyperlinks)

    3, Dont allow ZIPS or attachments that have extensions known to be potential carriers of viruses in email (eg, executables), and scan all emails for existing (known) malware using antispam/antiAV software - (nearly as secure as (2) whilst giving a little more freedom to use the advantages of email)

    4, Allow ZIPS but dont allow attachments that have extensions known to be potential carriers of viruses in email (eg, executables), and scan all emails for existing (known) malware using antispam/antiAV software - (lets hope someone doesnt deliberately attack with password protected zipped malware)

    5, Allow all extensions but scan all emails for existing (known) malware using antispam/antiAV software - (youre asking for trouble)

    6, Allow all attachments, dont bother scanning and train the staff and hope they can be bothered to listen and care your business! - (youre guaranteed to be dealing with a virus attack within the next year - at least youll be busy)

    7, Look for another job - (your motto: "its not your problem" - you obviously live in Italy! At least you can enjoy the sun and mosquitos whilst not working.)
Obviously, most will start somewhere down the list at (3) or below but its down to the individual to decide where and how important it is to them (higher up the list is better).

Im currently at (3) (by blocking ZIPS and executables, and then subjecting everything to scans) but might move to (4) and allow ZIPS. (This is what Tochi was ultimately after)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-05 13:34

nice analysis. thanks!
i was at #4 for a long time, then went back 1 step a while ago this year. bullet proof till now, i must have an eye on spam/virus repository though. but that's fine so far..
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 14:04

katip wrote: then went back 1 step
Do you mean you went to (5) or (3) ?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-05 14:19

no no, i went back to #3 i mean :wink:
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 14:48

Yes, I too am at that but still get the .DOC macro type zero-hour viruses in (or rather DID whilst using default Clam definitions)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-05 15:14

For these people that are interested in testing a beta...

Sigupdate v0.3 beta [Bonfire night edition]

Image

https://www.dropbox.com/s/e1xrvp75z36dw ... 3.zip?dl=0

Thanks to Jim for lots of testing and bugfixes.

Cheers,

Steve
Sanesecurity.com

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-05 16:22

jimimaseye wrote:still get the .DOC macro type zero-hour viruses in (or rather DID whilst using default Clam definitions)
if you mean "STL Invoice. M-747196.DOC#399373931" type things, this is already killed by the other AV we're using. seen and blocked at noon today UTC +2.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-05 17:12

katip wrote:
jimimaseye wrote:still get the .DOC macro type zero-hour viruses in (or rather DID whilst using default Clam definitions)
if you mean "STL Invoice. M-747196.DOC#399373931" type things, this is already killed by the other AV we're using. seen and blocked at noon today UTC +2.
The above was already blocked by badmacro.ndb as: Sanesecurity.Badmacro.Doc.CreObj

If you want to see how nasty these things are, here a sandbox type report:

https://www.hybrid-analysis.com/sample/ ... onmentId=2

VirusTotal Report: https://www.virustotal.com/en/file/a86c ... /analysis/

My Blog entry from early this morning, showing the detection rate of ZERO from ALL AV vendors
at the time of arrival, except for badmacro.ndb of course:

http://sanesecurity.blogspot.com/2015/1 ... ocouk.html

Cheers,

Steve
Sanesecurity.com

User avatar
mattg
Moderator
Moderator
Posts: 20965
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: block attachment in zip

Post by mattg » 2015-11-05 17:20

sanesecurity wrote:For these people that are interested in testing a beta...
Looks good Steve...

Can I set the log file directory?
Also the log gets overwritten each run, and it only logs time not date

Today I have
1. downloaded and configured ClamAV x64 for Windows from here >> http://www.clamav.net/downloads
2. downloaded 'RunAsService' and configured to make 'Clamd.exe' run as a service >> http://sourceforge.net/projects/runasservice/
3. downloaded your Sigupdate v0.3 beta and the required Rsync, and configured both

Enabled hMailserver to connect to ClamAV service on localhost.

Looks like it is working, now let's test
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-05 17:46

mattg wrote:
sanesecurity wrote:For these people that are interested in testing a beta...
Can I set the log file directory?
Also the log gets overwritten each run, and it only logs time not date
Good idea... I'll add that next...
Cheers,

Steve
Sanesecurity.com

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 17:54

Mattg, you can change the BAT file as you wish to handle the logging in any way you want.

We went for a single log (populated only by the current update) but you can change the
echo Started: %time% > sigupdate.log
to
echo Started: %time% >> sigupdate.log
and with anything else you want (a %date% or different path as you choose). The updates DONT update the BAT file (its a one off 'install') so you can do what you like within the root 'sigupdate' directory. Just keep the "winrsync" folder and the 'DBTEMP' folder. (If you want to move the DBTEMP folder then make sure you change its location reference in the BAT)

I have been running it for a couple of days and it seems pretty trouble free.

(p.s I assume your CLAMD.exe runs the same as mine (my installation here: viewtopic.php?f=21&t=26829 - we did it differently. I have the added benefit of having a windows GUI frontend (context menus, systray etc) because I use Clamwin but with Clamd running behind). It's worth noting that my CLAMD doesnt need a stop/restart of the service for the new definitions to take effect because actually it automatically does a check of the definitions database and loads any new definitions that have since arrived every 10 minutes)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 17:59

katip wrote:
jimimaseye wrote:still get the .DOC macro type zero-hour viruses in (or rather DID whilst using default Clam definitions)
if you mean "STL Invoice. M-747196.DOC#399373931" type things, this is already killed by the other AV we're using. seen and blocked at noon today UTC +2.
Not had the pleasure of receiving that this morning. :mrgreen:
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3700
Joined: 2006-08-21 15:38
Location: Denmark

Re: block attachment in zip

Post by SorenR » 2015-11-05 20:25

sanesecurity wrote:For these people that are interested in testing a beta...

Sigupdate v0.3 beta [Bonfire night edition]

Image

https://www.dropbox.com/s/e1xrvp75z36dw ... 3.zip?dl=0

Thanks to Jim for lots of testing and bugfixes.

Cheers,

Steve
Sanesecurity.com
Is this a replacement of ClamSup.bat ??
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 20:41

Soren, they are slightly different things (as I understand it).

From what I see/understand, Clamsup is is a generic script used for downloading different defintions from differnet suppliers, right?

This SIGUPDATE.zip is a single simple BAT script whose job is simply to download SANESIGNATURES of your choice from the sane repository, and then copy them in to your existing CLAMAV definition repository (for inclusion). Could it replace CLAMSUP? Maybe. As I understand it sane also offer other 3rd party signatures as well - all you have to do is tell the "signames.txt" file which definitions you want.

I advise you can download and open it and take a look (there's only about 4 actual files in it), and really it will be self-explanatory.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3700
Joined: 2006-08-21 15:38
Location: Denmark

Re: block attachment in zip

Post by SorenR » 2015-11-05 20:52

jimimaseye wrote:Soren, they are slightly different things (as I understand it).

From what I see/understand, Clamsup is is a generic script used for downloading different defintions from differnet suppliers, right?

This SIGUPDATE.zip is a single simple BAT script whose job is simply to download SANESIGNATURES of your choice from the sane repository, and then copy them in to your existing CLAMAV definition repository (for inclusion). Could it replace CLAMSUP? Maybe. As I understand it sane also offer other 3rd party signatures as well - all you have to do is tell the "signames.txt" file which definitions you want.

I advise you can download and open it and take a look (there's only about 4 actual files in it), and really it will be self-explanatory.
Well, ClamSup is a tool for men with hair on their chest, not for boys... :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-05 20:55

Yeah.

MUMMY! The nasty man is shouting!!! :lol:
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-11-06 01:00

sanesecurity wrote:Just a quick update.

I'm working on a quick batch/rsync downloader to download the signatures you
want to use with ClamWin

In the mean time..

foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malware but will obviously also block legit files someone may
email to you.

foxhole_generic.cdb: these are *double extension* executable filenames, in Zip/Rar/7z/Cab archives, again
should be lower risk.

foxhole_filenames.cdb: these are filenames that have been known to contain malware currently and in the past, so a lower risk.

foxhole_generic.cdb and foxhole_filenames.cdb would be a good start for blocking a lot of malware
rogue.hdb will be update hourly of hashes from current emails malware
phish.ndb will block malware and phishing attempts

Cheers,

Steve
Sanesecurity.com
Thanks to foxhole db, it blocks almost all the threats. Unfortunately, it doesn't block .doc files. it would be great if it blocks only files with macros. Blocking all files that could include macros is also acceptable though less preferred.
SaneSecurity has already done a great job. It's just the last cockroach remaining there.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-06 09:29

tochi wrote: Thanks to foxhole db, it blocks almost all the threats. Unfortunately, it doesn't block .doc files. it would be great if it blocks only files with macros. Blocking all files that could include macros is also acceptable though less preferred.
SaneSecurity has already done a great job. It's just the last cockroach remaining there.
There is an option on sanes website to contact and suggest things to them. Perhaps he could create a 4th foxhole database that is just for DOC, XDOC etc (ie office docs that has such ability) that the individual user can then choose whether to include or not. And that would complete the squashing of your cockroaches. :D

I personally dont think its necessary there are already active definitions detecting these files with macros within these filetypes and blocking them individually as in:
sanesecurity wrote:The above was already blocked by badmacro.ndb as: Sanesecurity.Badmacro.Doc.CreObj
...... and that Office apps have security options that prevent macros running (if you set it!)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-06 12:05

Thanks to foxhole db, it blocks almost all the threats. Unfortunately, it doesn't block .doc files. it would be great if it blocks only files with macros. Blocking all files that could include macros is also acceptable though less preferred.
Are these docs with macros containing malware... or are your thinking block ALL docs that have ANY macro?
If you have a sample of the doc you want blocking and it's not too confidential email it to me false_positive AT sanesecurity DOT me DOT uk with a subject of "DOC TO BLOCK"

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-06 16:47

greetings! new child born : EXCEL
https://www.virustotal.com/en/file/9ba6 ... 446820585/
(was already scored & blocked by ASSP due to invalid + suspicious HELO, but our AV would let it in!!!)

BTW, to be honest, i'm going to activate "good" ol' ClamAV again with new SaneSecurity signatures and we'll see...
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-06 18:08

katip wrote:greetings! new child born : EXCEL
https://www.virustotal.com/en/file/9ba6 ... 446820585/
(was already scored & blocked by ASSP due to invalid + suspicious HELO, but our AV would let it in!!!)

BTW, to be honest, i'm going to activate "good" ol' ClamAV again with new SaneSecurity signatures and we'll see...
Sane already has it in his definitions:
Friday, 6 November 2015
Sarah Jeffes Payment Notification

Description:


Sarah Jeffes Payment Notification Bill Payment_00001081/8.xls macro malware.

Headers:

From: Sarah Jeffes {messages.8040086.988724.7c0a97a59f @ messages.netsuite.com}
Subject: Payment Notification

Message Body:

Dear Supplier,

Please find attached remittance advice for payment to be processed in your account today.

Kind Regards,
AccountsKind Regards Macarthur Gas Pty Ltd.

Attachment filename(s):

Bill Payment_00001081/8.xls
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: block attachment in zip

Post by tochi » 2015-11-06 19:08

sanesecurity wrote:
Thanks to foxhole db, it blocks almost all the threats. Unfortunately, it doesn't block .doc files. it would be great if it blocks only files with macros. Blocking all files that could include macros is also acceptable though less preferred.
Are these docs with macros containing malware... or are your thinking block ALL docs that have ANY macro?
If you have a sample of the doc you want blocking and it's not too confidential email it to me false_positive AT sanesecurity DOT me DOT uk with a subject of "DOC TO BLOCK"
Again. I didn't know I have to add badmacro.ndb manually. I'll add badmacro.ndb to ClamSup.ini to include the protection.

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-09 17:29

tochi wrote:Again. I didn't know I have to add badmacro.ndb manually. I'll add badmacro.ndb to ClamSup.ini to include the protection.
Good point....I've updated ClamSup.ini... and updated sigupdate download page... http://sanesecurity.com/usage/windows-scripts/

User avatar
katip
Senior user
Senior user
Posts: 768
Joined: 2006-12-22 07:58
Location: Istanbul

Re: block attachment in zip

Post by katip » 2015-11-09 17:53

sanesecurity wrote:I've updated ClamSup.ini... and updated sigupdate download page...
Thanks for update. does this mean that we can switch back to usual clamsup update from sigupdate beta?

BTW, do you have any news from tBB (Niko)? he disappeared suddenly without a trace :( i hope he's ok.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-09 18:24

katip wrote:Thanks for update. does this mean that we can switch back to usual clamsup update from sigupdate beta?
sigupdate should really be used in most cases as it's easier to setup, plus it only hits the mirrors once
for ALL files when downloading, whereas clamsup hits the mirrors for EACH file it tries to download.
I only updated the ini file, so that it was downloading a current set a files. Sorry for the confusion.
[/quote]
BTW, do you have any news from tBB (Niko)? he disappeared suddenly without a trace :( i hope he's ok.
Sorry to say I believe something bad happened to Niko, last email conversation I had was on 24/02/2011,
when he said that he'd release the updated ClamAV port shortly and that his hard drive had broken and
he'd also fractured his foot... didn't hear anything after that :(

Cheers,

Steve
Sanesecurity.com

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-09 18:27

Steve, did you see my PM about the script (incompatibility with non-english systems, and also, sigupdate doesnt incirporate th other 3rd party databases that you have included in Clamsup.)?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: block attachment in zip

Post by sanesecurity » 2015-11-10 17:46

jimimaseye wrote:Steve, did you see my PM about the script (incompatibility with non-english systems, and also,

Yes, updated my version but not put it live yet. All good points though,
jimimaseye wrote:sigupdate doesnt incirporate th other 3rd party databases that you have included in Clamsup.)?
ClamSup does support these SecuriteInfo and MalwarePatrol, however their setup has changed since clamsup was written by Tbb (Nico) and gone more commercial, whereas at the moment, I've only asked
if people will support me with a donation.. or can provide a download mirrors etc.

SecuriteInfo databases (free version now updates every 24 hours)
https://www.securiteinfo.com/services/i ... amav.shtml
They have a unique download url per user.

MalwarePatrol (free version now updates every 72 hours)
https://www.malwarepatrol.net/open-source.shtml

I'll probably look into supporting both if there is a demand...

Cheers,

Steve
Sanesecurity.com

User avatar
jimimaseye
Moderator
Moderator
Posts: 8680
Joined: 2011-09-08 17:48

Re: block attachment in zip

Post by jimimaseye » 2015-11-11 13:45

Tochi/Katip, how about this for Zero-Hour response? What do you think?
ZeroHour.png
ZeroHour.png
Whilst 16 minutes later its only being detected by 4 other companies:
The attachment ZeroHour.png is no longer available
Looks really good for me.
Attachments
ZeroHour.png
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply