OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: zip files was Re: [AMaViS-user] decoder for zip?

From: Gene Rackow (rackowmcs.anl.gov)
Date: Fri Oct 07 2005 - 08:45:42 CDT

On my mail server, after greylisting and AV scans of incoming email
rejects the majority of the junk, I take zip and a few other attackment
types and put them into a subfolder of the users mailbox. Then send a notice
to the users main mailbox about the message. It includes the to/from/subject
information as well as warnings about it possibly being viral in nature.
It also indicates that messages in this folder will only exist for a month.
This allows for people to get things after vacaions or company travel. If
it's not something they recognize as being of possible importance, they
never have to touch it and it will just go away.

The vast majority of the users just allow the messages to be purged.
I've only had 1 user really complain about it, but then she was one of
the main reasons to implement it. Yes people send her real zip files,
but she took no care in deciding what to open and therefore was infected
several times in the past.

Another primary contribution to the choice for doing this is that the
vast majority of the "new" variants of virus laden email makes it's way
here several hours before any of the AV sites have a pattern file for
them. By putting things into a fairly easy to access quarentine area,
people that are getting critical info can still get to it. For those
that are not sure, they can wait a day or so then see what is or
isn't a virus.

The other piece of the puzzle is having the AV software recheck these
subfolders on every pattern file update. If the message is later
found to be infested, it is moved out of the user accessible mailboxes
and another notice is sent so the user doesn't get confused by a missing
message.

--Gene

"Covington, Chris" made the following keystrokes:
>> Chris, did you maybe see something like this recently? I=20
>> got a fresh new (undetected) virus last night that did this.
>>
>> Oct 5 18:05:42 sf8 amavis[6312]: (06312-04)=20
>> do_executable/do_unzip failed, ignoring: format error:
>> bad signature: 0x00905a4d at offset 0 in file
>> /var/lib/amavis/amavis-20051005T165720-06312/parts/p004
>>
>> Oct 5 18:05:50 sf8 amavis[6312]: (06312-04) Blocked=20
>> BANNED (multipart/mixed |=20
>> application/octet-stream,.zip,pword_change.zip |=20
>> .exe,.exe-ms,PW_Klass.Pic.packed-bitmap.exe |=20
>> PW_Klass.Pic.packed-bitmap.exe), LOCAL [10.10.10.13]
>> [213.165.64.20] <G.Steckexample.at> -> <userexample.com>,
>> quarantine: bannedexample.com, Message-ID:=20
>> <7943599a6de.6f07uacjtuaec.com>, mail_id:=20
>> twvrh8bxFLNq, Hits: -, 8331 ms
>
>Yeah I've gotten similar ones. This was a recent thread on
>postfix-users as well. =20
>
>I don't block zip, but I block windows executables within compressed
>archives. amavisd-new picks up executables within encrypted zips as
>well. I also block message/partial message/external-body RFC2046 MIME
>types. I'm debating whether or not to ban zip - some users use .zip to
>send large files.
>
>I've noticed a lot of our business partners don't allow .zip either out
>of extreme caution or because of primitive filters which can't inspect
>zip content. What do you on these lists do?
>
>---
>Chris Covington
>IT
>Plus One Health Management
>75 Maiden Lane Suite 801
>New York, NY 10038
>646-312-6269
>http://www.plusoneactive.com
>