Attachment Filtering not working - ORF Forums

Attachment Filtering not working RSS Back to forum

1

Fighting against LOCKY we made some "Attachment Filtering" rules:

Filter by MIME Content type:
- application/msword // Simple Text // Replace attchment with removal..."
- multipart/mixed // Simple Text // Replace attchment with removal..."

If i take a look into a Mail with a direct Word-Attachment i see "multipart/mixed" as content type -- but Mail still passed (WITH FULL attachment inside)

Sender is on NO Whitelist

Any ideas / help?
Thank you
Uwe

Reply
by uwe.kortkamp 8 years ago
2

Hello uwe.kortkamp,

Without seeing your ORF settings and the message header of that email, I am afraid I will not be able to tell how the spam managed to get through. Having said that, instead of trying to block Locky with aggressive keyword/header filters, I would recommend using the free ClamAV antivirus for this job, as it can detect documents containing macros.

For instructions on how to set up ClamAV as an External Agent for ORF, please consult the following articles:

http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-1
http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2

To enable the blocking of documents with macros, add the following line to the clamd.conf file (without the single quotes): 'OLE2BlockMacros yes'

The full list of ClamAV configuration options can be found at http://linux.die.net/man/5/clamd.conf

Please let me know if this has helped.

Reply
by Daniel Novak (Vamsoft) 8 years ago
3

Hello Daniel,
thanks for your response - a good AV scanner is not our Problem as we are using ESET NOD32.
THIS Variants of LOCKY are recognized - but will the next variant recognized in time? (same for ClamAV)

So our solution should be to block all native attached incoming Office-Documents.

partial Message Header:
From: Uwe Kortkamp <my private adress>
To: "Kortkamp, Uwe" <my office adress>
Content-Type: multipart/mixed; boundary="001a114a6b7c13d3ad052ca871f7"
Return-Path: <my private adress>
X-OriginalArrivalTime: 26 Feb 2016 11:38:13.0317 (UTC) FILETIME=[2CFF1F50:01D1708A]

ORF Attachment filter settings posted in first message.

Temporary solution is to block Attachments with known Extensions (.doc|docx and so on)

Thanks again
Uwe

Reply
by uwe.kortkamp 8 years ago
4

EDIT:
the idea to block documents with Macros only is not bad.... ESET cant this.

But Attachment filtering via MIME Type should work also!?

Reply
by uwe.kortkamp 8 years ago
5

@uwe.kortkamp: Hello uwe.kortkamp,

Yes, the Attachment Blacklist will certainly work and can be a good solution in this case, however the MIME content-type filtering should work as well when configured properly. Could you send us (to ) the ORF configuration file called orfent.ini, the original email that passed the checks and the corresponding ORF log file (e.g. orfee-2016-02-28.log) for analysis? All of the files can be be found in the ORF program directory (default: \Program Files (x86)\ORF Fusion). Thank you!

Reply
by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

6

Hello Daniel,
thanks for your response - your has been 1 hour too early.

I found the solution by myself:
Don't know why... but only Outlook shows this attachment as 'multipart/mixed' (maybe Exchange changed something).

For testing i made a "Attachment blocking rule" "MIME TYPE */*" and ORF wrote in his log for those attachments "application/vnd.openxmlformats-officedocument. (word/excel and so on)"

With a rule "MIME TYPE application/vnd.openxmlformats-officedocument.*" it catches all those (un-) wanted Attachments.

Thanks again - so call can be closed

Reply
by uwe.kortkamp 8 years ago
7

@uwe.kortkamp: Thank you for the update. I am glad to hear that you managed to solve the issue :)

If there is anything else I can do for you, please let me know.

Reply
by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

8

Question for you Uwe: are you blocking all MS-Office document attachments or is there a certain pattern that helps protect against Locky?

I looked up the MIME attachment types and perhaps I am not understanding the thread but it looks like your rule will block all common Office formats docx, pptx, xlsx.

Source:
http://stackoverflow.com/questions/4212861/what-is-a-correct-mime-type-for-docx-pptx-etc

Thanks

Reply
by Sam Russo 8 years ago
9

@Sam Russo: Hello Sam,
yes, i am blocking ALL Office Document - but not only with this one rule.
Nobody knows about future "LOCKY's" or maybe "faked MIME Types" (dont know if its possible).

If somebody wants to send me a Office Document, he can ZIP it - so its not so easy possible to open it accidentally or maybe catch a virus through Outlook Preview Pane

I have 1 blocking rule like explained, / 3 for "application/msword" (msexcel/mspowerpoint) and 4 rules where extensions are blocked via RegExp ".*\.(doc|dot|docx|docm|dotx|dotm|docb)$" (and same for Excel/Access and Powerpoint)

Hope it helps

Reply
by uwe.kortkamp 8 years ago
(in reply to this post)

10

@uwe.kortkamp: Thanks for the clarification.

If you are running Windows then AppLocker (application whitelisting) is a good method of blocking these attacks.

Good luck,
Sam

Reply
by Sam Russo 8 years ago
(in reply to this post)

11

@Daniel Novak (Vamsoft): Thank you very much for your post Daniel - I implemented ClamAV with the "OLE2BlockMacros" option and it's working great! I went into the "Whitelist Test Exceptions" screen within ORF and enabled the "External Agents Test" so that ClamAV runs on whitelisted email also. Thanks again for the very helpful and informative post!

Reply
by Robb 8 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2