ClamAV executables in zips - ORF Forums

ClamAV executables in zips RSS Back to forum

1

I just had someone get infected by a zip file with malware executable contents that slipped through ORF + ClamAV + antivirus on computer. I wish to disable allowing executables in zip files but cannot find how to do so. Does anyone have any experience with this?

by Graham 7 years ago
2

@Graham: The attachment filtering feature of ORF does not support scanning files inside ZIP or other compressed file formats. To prevent emails with attached (zipped) EXE files from entering your network, I recommend creating an attachment filtering rule in Exchange instead. Assuming you have Exchange 2007/2010:

1. Start the Exchange Management Shell

2. Enter the following command:

Enable-TransportAgent -Identity "Attachment Filtering agent"

This will enable the Attachment filter agent if it is disabled (the Attachment Filtering agent requires the Edge transport role to be installed AFAIK)

3. Enter the following command:

Add-AttachmentFilterEntry -Name *.EXE -Type FileName

4. Now, if you issue the command

Get-AttachmentFilterListConfig

You will see that the default setting is to strip the attachment but the deliver the email. You can change this to reject by issuing the following command:

Set-AttachmentFilterListConfig –Action Reject –RejectResponse "The email you sent contains an attachment type that is not permitted. Your message was not delivered. Please remove the attachment before resending your message."

As far as I know, the Attachment filter agent scans inside ZIP files by default (I recommend testing it). The downside is that it does not support anything other than ZIP or LZH (e.g., it will not look inside RAR files), and it will not scan password protected ZIP files either, but I think it is a non-issue in this case.

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

3

@Krisztian Fekete (Vamsoft): Krisztian,

I didn't thank you for your advice 3 months ago. I apologize for that. Your answer would work well, except in my case, we don't have an Edge Transport server. We have exchange 2010 with hub transport. So our options are to block zips entirely, buy an additional server and license for Exchange edge transport, or buy a full feature antivirus for exchange. The thing is, most of those are also anti spam (like forefront). It seems like such a waste to go through all the expense and effort just to cover this one scenario(an executable inside a .zip) I wish there was some way ORF could handle file exclusions inside of zips either as a new feature, or as a plugin. I think it would help people like me who have single or dual server exchange setups.

by Graham 7 years ago
(in reply to this post)

4

@Graham: I will discuss this with our lead developer: I think we could make at least a feature request out of this, and if there is significant demand for such feature, we could implement it in a future version.

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

5

@Graham: Possible with an external agent.
You need:
- 7-Zip from www.7-zip.org
- emldetach from http://bitdaddys.com/emldetach.html (trial is enough)

Create a new directory for you Agent, I've called it "ZIPI", and create a directory called "logs" in it.
Copy the following script to a new file called "zipi.cmd" and don't forget to change the path-names for mytemp, zip and emldetach!

@echo off
set mytemp=c:\mta\agents\zipi\temp\
set zip="c:\program files\7-zip\7z.exe"
set emldetach="c:\program files (x86)\emldetach\emldetach.exe"
set filename="%1"
for %%F in (%filename%) do (
set file=%%~nxF
set scanin=%mytemp%in\%%~nxF\
set scanout=%mytemp%out\%%~nxF\
)
mkdir %scanin%
mkdir %scanout%
mklink %scanin%%file% %filename%
%emldetach% -autorun -sortoff -sortsenderoff -statsoff -scrapeoff -subdirsoff -inpath=%scanin% -outpath=%scanout%
rd /s /q %scanout%.emldetach
%zip% l %scanout%* > %mytemp%logs\%file%.log
rd /s /q %scanin%
rd /s /q %scanout%
find /i ".exe" %mytemp%logs\%file%.log

Then create a new External Agent and point it to that zipi.cmd file with command-line parameter {EMAILFILESPEC} and Exit Code 0 = Hit.

Now this script would do the following:
- create a seperate folder-structure for each email
- hardlink ORF's temp-file to the in-folder
- use emldetach to extract the attachments to the out-folder
- delete the emldetach-logfile
- list all filename from any attachments 7-Zip can open and log it to emailfilename.log
- delete our folder-structure
- look for ".exe" in emailfilename.log using find
find will return 0 for hit and 1 for no-hit and so does the whole script.

Please be aware that this is only a quick hacked script. It may wipe you whole harddisk (really, rd /s /q can be evil) and it will also unpack any 50MB Attachment containing trillions of files, so it may need some mechanism to avoid that.

by Winfried Pohl 7 years ago
(in reply to this post)

6

@Winfried Pohl: ok, had some time to really try my script within ORF. Some little changes:
- set filename=%1
ORF already adds that quotes
- mklink %scanin%%file% %filename% > nul
keeps the agent-output clean
- type %mytemp%logs\%file%.log | find /I ".exe"
find /i ".exe" %mytemp%logs\%file%.log works if you call that script yourself, but somehow doesn't work when called as an agent
- added filesize check to skip email larger than 1MB, return code 2 added if you want to log that

New script comes here:

@echo off
set mytemp=c:\mta\agents\zipi\temp\
set zip="c:\program files\7-zip\7z.exe"
set emldetach="c:\program files (x86)\emldetach\emldetach.exe"
set filename=%1
set maxscansize=1048576

for %%F in (%filename%) do (
set file=%%~nxF
set scanin=%mytemp%in\%%~nxF\
set scanout=%mytemp%out\%%~nxF\
set filesize=%%~zF
)
if %filesize% LSS %maxscansize% (
mkdir %scanin%
mkdir %scanout%
mklink %scanin%%file% %filename% > nul
%emldetach% -autorun -sortoff -sortsenderoff -statsoff -scrapeoff -subdirsoff -inpath=%scanin% -outpath=%scanout%
rd /s /q %scanout%.emldetach
%zip% l %scanout%* > %mytemp%logs\%file%.log
rd /s /q %scanin%
rd /s /q %scanout%
type %mytemp%logs\%file%.log | find /I ".exe"
) else (
echo Filesize %filesize% bytes is larger than configured maximum size %maxscansize% bytes, skipping scan.
exit 2
)

by Winfried Pohl 7 years ago
(in reply to this post)

7

Krisztian, thank you for considering adding my request to the official feature request list.

Winfried, thank you so much for coming up with an alternative solution. I will have to look it over to see if we can use something like that. You are right, it is quite scary to have a script with rd used so heavily.

by Graham 7 years ago
8

After some digging, I found a way to make the clamav agent reject zips with specific attachment names. For anyone interested, you create a .zmd file and put it in your clamav data folder. The contents of the .zmd file should be something like:

Block.EXE:0:\.exe$:*:*:*:*:*:*

Information found from an old thread:
http://www.gossamer-threads.com/lists/clamav/users/41362

I just changed the regex expression to block all exes.

The relevant documentation on the clamav signatures.pdf file is currently in section 3.7
http://www.clamav.net/doc/latest/signatures.pdf

by Graham 7 years ago
9

Did this ever get added to ORF as compressed files with exe's in are becoming common place?

Thanks

Darren

by darren.j.bisbey 5 years ago
10

@darren.j.bisbey: The Attachment Filtering test of ORF is not able to scan files inside archives: we recommend setting up such rules in Exchange (see my comment above) or if you do not have Exchange, set up an External Agent for this (see Winfried's solution), or use ClamAV for this (see Graham's comment).

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

11

I was revisiting this subject after an encrypted zip with a virus made it through, I just wanted to give an update since my original example regex was incomplete. I have now created 2 zmd files, one for encrypted zips, the other for unencrypted zips. Here are the contents of both of my zmd files:

Block.Unwanted.Files:0:.*\.(exe|com|vbs|asp|asx|bas|bat|chm|cmd|cpl|crt|hta|inf|ins|jsp|lnk|mdb|mdw|msi|msc|pcd|pif|prf|reg|scf|scr|sct|url|vss|vst|vsw)$:*:*:*:*:*:*

Block.Unwanted.Encrypted.Files:1:.*\.(exe|txt|com|vbs|asp|asx|bas|bat|chm|cmd|cpl|crt|hta|inf|ins|jsp|lnk|mdb|mdw|msi|msc|pcd|pif|prf|reg|scf|scr|sct|url|vss|vst|vsw)$:*:*:*:*:*:*

by Graham CB 5 years ago
12

@Graham CB: Hmm, that seems to have gotten cut off, let's try that again. I'll just post an example with just a couple file types included:

Block.Unwanted.Files:0:.*\.(exe|com)$:*:*:*:*:*:*

Block.Unwanted.Encrypted.Files:1:.*\.(exe|com)$:*:*:*:*:*:*

by Graham CB 5 years ago
(in reply to this post)

13

@Graham CB: Thank you for sharing this.

by Péter Karsai (Vamsoft) 5 years ago
(in reply to this post)

14

@Graham CB: Thank you very much, Graham

by andrew.baker 5 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2