Page 1 of 1

Virus check file sitting on remote site

Posted: 2017-03-20 14:29
by AndreL
Hi,

Everyday some messages received include an URL to an infected file sitting on a remote site (ransomware). This site is generally a public one like dropbox.
As the file is not in attachment, no SPAM or Virus check done. SURBL is not relevant neither.

I'm looking for a service or process to validate those file content before the email is reaching the inbox.
So basically downloading the (url) file to a secure location for a virus check.

Any advice is welcome,
Andre.

Re: Virus check file sitting on remote site

Posted: 2017-03-20 16:30
by jimimaseye
SaneSecurity definitions (used with ClamAV) contain definitions against known phishing and malware links. If you are not using any AV then I recommend: viewtopic.php?f=21&t=26829

Re: Virus check file sitting on remote site

Posted: 2017-03-20 23:21
by mattg
Yes I like those definitions too, however I'm not sure that they will be triggered by an embedded URL. I think that they only look at attachments.

@AndreL, interesting idea, but that's exactly what SURBL does. Why is SURBL 'not relevant'?
What SURBL servers are you using?

This is my list

Code: Select all

SURBL ENTRIES:
                   multi.surbl.org      Score: 3
                  dbl.spamhaus.org      Score: 3
        uribl.spameatingmonkey.net      Score: 1
                   uribl.swinog.ch      Score: 1

Re: Virus check file sitting on remote site

Posted: 2017-03-20 23:30
by jimimaseye
mattg wrote:Yes I like those definitions too, however I'm not sure that they will be triggered by an embedded URL. I think that they only look at attachments.
They do, yes. (And Ive witnessed it too).

If you view http://sanesecurity.com/usage/signatures/ you will see the 'Latest Updates' (bottom Right pane) and most of them are 'Jurlbl' updates which match the links in the email bodies. However, whether they cover links that point to dropbox downloads (as the OP stated in the 1st post), I dont know because dropbox are genuine links. I think the only way would be to download whatever the file is that is pointed to in the dropbox link and let the local AV then scan it. (Maybe some of these jurlbl signatures do cover known attachments within dropbox - who knows.)

Re: Virus check file sitting on remote site

Posted: 2017-03-21 23:50
by AndreL
Indeed SURBL is partially the answer as the infected file are on public repository like dropbox or gdrive.
Example: https://dl.dropboxusercontent.com/s/.....bill.zip

What i did until now is :

A global regex rule on the body to detect those links: (?im:^.*https?:\/\/([^ \"\'<>:])*\.(?:zip|exe|doc|xls|vb|bat|cmd).*$)
Action : add [suspicious message] to the subjet via a VBS routine and move it to the SPAM folder.

to be con't

NB: I'm using now:

multi.surbl.org
dbl.spamhaus.org
uribl.spameatingmonkey.net

Re: Virus check file sitting on remote site

Posted: 2017-03-22 14:28
by sanesecurity
Sorry for the delay.

There *used* to be a feature in ClamAV that when if found a url in the body, did a wget on the
link and then you could match against the downloaded file.

The feature was removed, either to performance issues or risk of a DOS happening.

Some known malware Dropbox links are blocked in phish.ndb or blurl.ndb.

In the mean time can you send me a zipped copy of the samples you have and I'll take a look:

false_positive@sanesecurity.org.uk