ZIP file attachment not recognized and therefore no file check performed
Steve Basford
steveb_clamav at sanesecurity.com
Wed Oct 16 20:28:35 IST 2013
> On Friday we started receiving emails that contained some kind of 0-day
> malware. The Barracudas were blocking some of these email, but based on
> score and not on the emails containing a virus. Later in the day
> Barracuda started recognizing the virus so the problem was mitigated at
> the mail gateway, but some did slip by the first line of defense and
> were passed to MailScanner.
>
No sure this is what you want to do but you could add-in ClamAV and then
add-on Sanesecurity signatures:
rogue.hdb is updated at least hourly with md5 of current emailed malware,
phish.hdb will block known and some simple guess-worked content of bad
stuff in zip/rar files.
If you want to go one stage further... add-in foxhole_generic.cdb to block
double extensions in zip/rar/7zip or foxhole_all.cdb which will block
anything bad in zip/rar/7zip... more info here:
http://sanesecurity.com/foxhole-databases/
More sig databases here:
http://sanesecurity.com/usage/signatures/
Download Scripts here:
http://sanesecurity.com/usage/linux-scripts/
If you have a full/header of the missed/mangled malware and you can give me
a download link for it (pastebin etc.) I'll take a look... see if any sigs
could be tweaked to detect it in the future...
Here's an example stat of stuff being detected:
http://comms.oucs.ox.ac.uk/images/stats/relay/virus-day.png
Sorry for the length of post... or it's it a little off-topic...
Cheers,
Steve
Sanesecurity.com
More information about the MailScanner
mailing list