Dodgy attachments RSS Back to forum
Stripping attachments was one of the better decisions we made as an organization. We utilize the quarantine feature in ORF to isolate the payloads to allow for users to contact help desk if they actually need the attachment. It isn't surprising but we rarely get that many contacts back for attachments that were expected. We started blocking ZIPs back when Cryptolocker first came out and never looked back.
We also block *.bat, *.exe, *.scr, *.zip, *.rar, and *.rtf. The RTF block is because of Microsoft Security Advisory (2953095).
Just like you we also utilze ClamAV to do our AV scanning. Unfortunately so much of what goes through email is zero day and isn't initially picked up by signatures.
I haven't seen 7zip, arj or other arcane compression containers being used but they definitely seem like possible targets to be used by spammers in the future. I wouldn't think twice about pro-actively blocking them.
@felipe.garcia:
We've started getting cab's yesterday.
I've just added whole list of extensions into ORF blocker ... basically all what can be opened by 7zip is now blocked (7zip - tools - options - system). Except zips as we do get loads of genuine files.
But by using clamav I'm blocking contents of zips and if there is a zip/rar within a zip or any executable file ... clamav will get rid of it.
here's my ClamAV signature :
exe|txt|com|vbs|asp|asx|bas|bat|chm|cmd|cpl|crt|hta|inf|ins|jsp|lnk|mdb|mdw|msi|msc|pcd|pif|prf|reg|scf|scr|sct|url|vss|vst|vsw|zip|rar|cab
basically, I block all attachments (by moving to spam bucket).
hopefully I grab them all. keyword filters
.*^Content-Transfer-Encoding: binary*\s$
.*^Content-Type:\s(application/(zip|x(-zip)?-compressed)|multipart/x-zip);$
We've been quarantining attachments for a long time to be proactive instead of reactive. I'd say we snag one live virus every 10 days or so. We do this with ORF's attachment filtering, filtering by MIME content type and have one filter for each type. We have 19 filters and see no performance issues - each one is for the various "container" types (ZIP, RAR etc...). We replace it with a notice to contact our help desk. Minor inconvenience I'd say but very few malware infections :-\.
Hi all,
First of all ... I think without ORF fusion I would be lost. Brilliant software.
Despite that, spammers are getting more and more clever....
... first they've tried sending zipped/rarred exes ... I've added ClamAV and blocked compressed attachments containing executable files using tweaked zmd & rmd signatures ... worked
... then they started sending zipped/rarred zips with exes .. I've tweaked signatures for zmd & rmd and this worked as well...
... not they are sending cab containers with executables ... I've blocked these using Attachment Filtering ... works a treat.
I want to be ahead of the game and here is my questions ... what are other rather un-popular containers which are being used for sending viruses ? 7z, arj ?
What other unpopular containers as attachments are you blocking ?