external agent test for https/http links to viral payloads downloads for whitelisted senders. RSS Back to forum
@christopher.low:
You are correct, you would need an External Agent for that. Agents can be written in just about any language, including PowerShell. I have contributed a PowerShell function to a recent topic here that can load and parse an email: http://pastebin.com/G5KA12nJ -- if you are familiar with PowerShell, the rest should be easy.
Another way would be to use ClamAV. If you check out the third-party anti-phishing signatures from SaneSecurity, they appear to be quite simple, so I think you can write your own signatures without a lot of investment learning the format.
ok I've set up clamav and now researching on how to block http urls by setting up custom signatures.
but frankly, I think this is something you should build into ORF
eg: a seperate keyword blacklist exception list (ie: whitelisted emails still run through this seperate keyword blacklist)
main thing here is just like attachment filtering exception, now virus/spam/cryptolocker are all moving towards download lockers. so I rather a feature to block all download locker type emails (ie: block googledrive/sugarsync/hightail/dropbox etc) and move it to a seperate spambucket for manual inspection.
@christopher.low: Unfortunately, there is an inherent design conflict between spam filtering and malware filtering, as demonstrated by this whitelist issue and its mitigations in ORF (specifically, Whitelist Test Exceptions). The declared focus in ORF is on spam, so even though it offers a few rudimentary tools that may catch malware as a collateral, the malware problem is still best dealt with by using a dedicated anti-virus solution that covers the entire network.
true, but in this case, my antivirus (sophos) has already prevented the payload but the viral spam mail is still received. (in this instance, it passes SPF, and is a whitelisted email address (ie: auto sender whitelist).
@christopher.low: Exactly my point, if they can already detect a threat specifically because they have the tool built for the purpose, maybe they should extend that to emails as another known attack medium.
is there one? eg: if you decided to whitelist a gmail address, yet somehow a spambot sending a virus payload in the form of a https link to eg (sugarsync, googledrive etc), there isn't a keyword blacklist it will check as an exception, so it goes through.
so the only way it will work is a external agent in antivirus role exception?