ZIP file attachment not recognized and therefore no file check performed
steveb_clamav at sanesecurity.com
Wed Oct 16 20:28:35 IST 2013
> On Friday we started receiving emails that contained some kind of 0-day
> malware. The Barracudas were blocking some of these email, but based on
> score and not on the emails containing a virus. Later in the day
> Barracuda started recognizing the virus so the problem was mitigated at
> the mail gateway, but some did slip by the first line of defense and
> were passed to MailScanner.
No sure this is what you want to do but you could add-in ClamAV and then
add-on Sanesecurity signatures:
rogue.hdb is updated at least hourly with md5 of current emailed malware,
phish.hdb will block known and some simple guess-worked content of bad
stuff in zip/rar files.
If you want to go one stage further... add-in foxhole_generic.cdb to block
double extensions in zip/rar/7zip or foxhole_all.cdb which will block
anything bad in zip/rar/7zip... more info here:
More sig databases here:
Download Scripts here:
If you have a full/header of the missed/mangled malware and you can give me
a download link for it (pastebin etc.) I'll take a look... see if any sigs
could be tweaked to detect it in the future...
Here's an example stat of stuff being detected:
Sorry for the length of post... or it's it a little off-topic...
More information about the MailScanner