Delete zip file attachments containing .exe

[FTL 2]

Hi all,

 

My mail server is being hammered daily with 1500+ emails with zip file attachments containing exe.

 

Id imagine most are the CryptoLocker!

 

Eset is catching 95% of them and moving them to my Exchange quarantine mailbox but still there are some getting through to users Outlooks!

 

I have amended my SPAM threshold scored to as low as i can possibly go without catching legit mail (currently score 64)

 

Please is it possible to just have Eset reject/delete anything that has an .exe inside of a zip file?

I dont understand why it is not scanning all zip file attachments anyway - and should detect the .exe anyway and delete it????

 

I cant just block zip attachements accross the board as we have legit zip files that come in from many sources - too many to add manual whitelist entries for.

 

Surely this is possible, but ive combed over and over the settings and cant find where to do this??

 

Please help me find this setting.

 

 

Mail Security for Windows 4.5.10019 running on a Server 2008 machine running just Exchange.

Edited November 26, 2013 by FTL

[Marcos 5,074]

Currently it's not possible to delete / quarantine only archives with at least one executable file inside. However, this is a feature that we'd like to have added as soon as possible.

[FTL 2]

Thankyou for replying Marcos.

 

Why is this not possible in a product designed to protect a mail server?

Its a mail security product your offering then that isnt actually secure at all!

 

Is this a feature we can expect in weeks/months?

 

Im shocked that this isnt possible.

[Peter Randziak 1,130]

Hello FTL,

 

would it be feasible for you to block all .zip attachments?

[FTL 2]

Unfortunately not Peter (thankyou for your reply)- we recieve many .zips that are legitimate from a wide range of sources - far too many to whitelist individually.

 

How come the AV program itself does not scan the zip file and see the .exe and quarantine it anyway?

As an AV it surely has the ability to scan inside of a zip file even if it cannot delete the whole attachment yet at mail server level?

 

If i zip up a folder on my desktop and then scan it with Endpoint then it scans all files inside the zip folder.

 

Where does the difference lie?

Edited November 29, 2013 by FTL

[reformit 0]

I'd quite like to see an answer or update to this topic. I'm a reseller and I am getting daily complaints from our clients using EMSX about ZIP files containing viruses making it through to the desktop.

 

I completely agree with FTL - EMSX should be able to scan within archives (ZIP or otherwise) and I was amazed to be told by ESET support that it doesnt.

 

I do appreciate the performance overhead this would put on the Exchange server but given the recent increase in these kinds of virus attacks it is absolutely necessary.

 

Competing Exchange AV products do have this feature aso when can we expect this feature to be implemented in EMSX?

[FTL 2]

Likewise Reformit - we too are resellers and if it wasnt for this fact that we have many clients using ESET on our so say, id have sacked ESET off and got in a mail security product that is actually secure as soon as i was told this basic, necessary feature doednt actually exist!

 

We are very unhappy resellers and an end-user at the moment!

Edited December 9, 2013 by FTL

[Peter Randziak 1,130]

Hello,

 

we are speaking about 2 different things.

EMSX scans inside archives, you can check the setting in Antivirus and antispyware under Server protection in settings.

 

What we are not able to do is to create rule like delete all messages with compressed attachment containing executable file.

So the rule analyzer is checking only attachment itself (not it's content if it is archive), but the Virus scanner is scanning for malware inside the archives.

[PyROm 0]

We are an end user who has the problem of getting lots of zipped .exe files getting through to our mailboxes.  Nod32 desktop client catches them as viruses when you try and download the file from owa, or open them in outlook, however EMSX doesnt.  The setting to scan archives is checked in ESMX.

 

I have just (today) phoned eset uk support and been told that esmx doesnt scan zip files and the only way to prevent it is block all zip files.

[bot 1]

+1 for a rule to block attachments containing exe files

[Marcos 5,074]

Does anybody know of any mail server security solutions that check for executable files in archives and allow to remove them?

[FTL 2]

Hello,

 

we are speaking about 2 different things.

EMSX scans inside archives, you can check the setting in Antivirus and antispyware under Server protection in settings.

 

What we are not able to do is to create rule like delete all messages with compressed attachment containing executable file.

So the rule analyzer is checking only attachment itself (not it's content if it is archive), but the Virus scanner is scanning for malware inside the archives.

 

Hi Peter,

 

I have double checked my server settings as suggested and confirm that everything is setup how it should be for the virus scanner to scan insidie archives.

 

However it doesnt explain the fact that in any given hour of the day my own Exchange Quarantine mailbox can accumulate 300+ emails marked as spam and the majority of them contain an exe inside a zip!!!

Id say that over a whole day if we get 10 that are actually caught and moved the to Quarantine folders Infected Items saying XYZ infection has been found we have had a good day!

 

Surely the AV side of EMSX should be catching these and marking them all as infections, not just the odd few, even if the rule side of deleting anything with exe inside an archive cannot be achieved?

 

 

99% of the mail i get quarantined that has .exe attachments is just marked with SPAM.

 

Example- even though inside of this email has a zip file containing Invoice.pdf.exe attachment

 

Delivery of this message to the following recipients or groups is quarantined:

 

user@company.com

 

Subject: [sPAM] Barclays transaction notification #987997

 

Diagnostic information for administrators:

 

Generating server: company.com

 

user@company.com

#550 5.2.1 The message was rejected and quarantined by ESET Mail Security. The original message is attached. ##

 

Then 3 minutes later i get

 

 

Delivery of this message to the following recipients or groups is quarantined:

 

user@company.co.uk

 

Subject: [sPAM] [virus Win32/TrojanDownloader.Wauchos.X trojan] Barclays transaction notification #628674

 

 

Diagnostic information for administrators:

 

Generating server: company.co.uk

 

user@comapny.co.uk

#550 5.2.1 The message was rejected and quarantined by ESET Mail Security. The original message is attached. ##

 

So why are all .exe archives not being stripped out like the last example and appended with what was found?

 

Either that or we are a very very unlucky company and get hit with the newest variants all the time that have been undectected and not added to the spam updates yet.

 

Then im having to comb through my Quarantine mailbox everyday that contains thousands of spam mail, 95% containing .exe infections, trying to fish out any legit ones it may have caught gets pretty tiring; very quickly.

 

When then i have to do it for clients on managed contracts who dont have onsite IT personal aswell you can start to see how ive gotten angry with this issue!?

 

Its alot of my time wasted daily.

 

Im not ESET bashing here so please dont think I am, im trying to give constructive critisism on issues that end users in the real world are facing - issues i know you are not ignorant nor already unaware of.

Edited December 10, 2013 by FTL

[FTL 2]

Does anybody know of any mail server security solutions that check for executable files in archives and allow to remove them?

 

Symantec Messaging Gateway.

 

Trend Micro WFBS and SMEX also has the ability to set rules to scan inside zips and delete them at server level

 

 

If Symantec, the worlds worst vendor of AV can, anybody can ill ever know!

Edited December 10, 2013 by FTL

[mauirixxx 1]

I had assumed this was a standard feature, which was the 2nd reason I convinced my boss to buy the product (first was the anti-spam feature). Since we use Eset on the desktop, it was an easy sell. And like the above posters, I can't just deny ALL zip files, as we e-mail AutoCAD files, which compress very well in zip files. I block THOSE, and I just blocked our money maker. That's not going to happen.

 

How hard can it be to have the zip file list (not extract) the contents of the zip archive, then just grep for *.exe (or any other executable) and if ANY are found - block it!

 

The Linux equivalent would be  "unzip -l *.exe | grep .exe"

 

In Windows, 7-Zip is free (even for commercial use), and provided it's installed to the system path, can be ran from the command line as well, like so: "7z l *.zip | find /i ".exe""

 

Food for thought

[malakym 0]

Is this feature even on a development roadmap yet?

[Marcos 5,074]

Is this feature even on a development roadmap yet?

 

You could hold you breath before this feature becomes available More information soon...

[Aryeh Goretsky 378]

Hello,

 

Please see the following message thread for an update: ESET Mail Security for Microsoft Exchange Server v4.5.10021 has been released

 

Regards,

 

Aryeh Goretsky

[PyROm 0]

Hi,

I have installed the update (and checked the version number), checked the "potentialy dangerous attachments" box in server protection->antivirus & antispyware->setup, even rebooted the server, however I am still getting emails with viruses in zip files through.  Looking at the header, the email in question has been marked "X-EsetResult: clean, is OK" however as soon as I click on the email, nod32 on my local machine see`s it as a virus and moves it to infected items.  It has a zip file attached, with 1 directory in it, under that directory is a .exe.  Am I missing a confguration option?

[Peter Randziak 1,130]

Hello PyROm,

 

do you still face the issue?

 

If yes, please clear all logs and enable diagnostic synchronized logging.

As soon as such attachment passes the scanner, revert the logging settings back to defaults and provide us with:

1. output from ESET log collector

2. exported messages (at least 3 of them)

 

Pack it into one archive and send me a private message with download link and encryption password. 

We will check it.

[PyROm 0]

Hi,

 

It seems to be working now, I have enabled it to set spam score to 100% on detection of a virus, then created a rule on exchange to delete anything with a spam score of 100%.  Since doing this I have had no reports from eset endpoint detecting a virus from email.

 

Thanks

Robin

[Peter Randziak 1,130]

Great, glad to hear that.

[malakym 0]

What exactly is the option? Under each rule I see the "By attachment type", but I don't even remember if this was there before.

 

From looking it seems that only does blocking based on file types ignoring the extention. so an EXE file with .doc would be picked up by this.

 

But I still don't see where it will scan inside an archive to check?

 

 

Edit:

 

Is it ThreatSense > Objects > Archives/Self-extracting archives? This sounds like it will be okay for AV scan, but does that also mean any attatchment I specify above would be looked for also in archives?

Edited June 6, 2014 by malakym

[Peter Randziak 1,130]

Hello,

 

the rules based on content of an archive will be available in next major version of EMSX.

 

There are already rules to detect the real file type i.e. exe renamed to .doc will be picked as .exe, moreover there is a new rule to detect dangerous attachments with double extensions for example invoice.pdf.exe.

[mauirixxx 1]

Aloha, glad to see we have this capability now.

 

In order to upgrade my EMSX install, do I have to uninstall the old version first, or can I install the new version over the old one?

[Arakasi 549]

moreover there is a new rule to detect dangerous attachments with double extensions for example invoice.pdf.exe.

 

Nice