Print Page | Close Window

Help suggestion to filter virus

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7123
Printed Date: 24 November 2017 at 1:15pm


Topic: Help suggestion to filter virus
Posted By: meatboy
Subject: Help suggestion to filter virus
Date Posted: 22 October 2015 at 1:43am
Hi,
I have a user who is regularly getting an email bearing a zipped attachment. The attachment contains a file "swift copy.exe" which is the virus payload. The zip file name seems to change name and I cannot block zip files. We do have virus checking within Spamfilter ISP active that does not seem to pick it up.

Is there any suggestion on how to block this?

Thank you.

Tim



Replies:
Posted By: LogSat
Date Posted: 22 October 2015 at 8:23am
Tim, if you can forward the zip to us at support at logsat dot com we'll have the virus added to the definition updates within a few hours.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: meatboy
Date Posted: 22 October 2015 at 6:21pm
Hi Roberto,

that could be a bit tricky to get a copy. The end users desktop AV picks it up.
Here is Trend  Micro's alert if that helps


Virus/Malware: TROJ_ZEMOT.XXTVT

Endpoint: PC

Domain: xxxxxxxx

File: C:\Users\PC\AppData\Local\Microsoft\Windows Live Mail\EE China -  66f\???\7CE64DB9-0010A22C.eml (swift copy.exe)

Date/Time: 22/10/2015 8:29:26

Result: Unable to send the quarantined file to the designated quarantine folder

 

I was hoping for perhaps some kind of keyword that would pick up the file name within the zip file?
One other issue I may have is this could be coming from a whitelisted user but I can clear out the whitelist and manually check them.

thanks



Posted By: LogSat
Date Posted: 22 October 2015 at 10:00pm
When there are waves of viruses as the one you are being, most of the times some of the infected emails will be stopped by SpamFilter even before they are scanned by the antivirus. This happens as other filters will detect the malicious emails based on the IP and/or email address of the sender.

In this case, you can easily use SpamFilter's quarantine to search for these emails. You are looking for emails in the quarantine that have a .zip attachment. To do so, you can use this query against the database:

SELECT     TOP (100) tblMsgs.MsgID,  tblQuarantine.MsgDate, tblRejectCodes.RejectID, tblRejectCodes.RejectDesc, tblQuarantine.RejectDetails, 

                      tblQuarantine.QuarID, tblQuarantine.EmailFrom, tblQuarantine.Subject, tblMsgs.Msg

FROM         tblRejectCodes INNER JOIN 

                      tblQuarantine ON tblRejectCodes.RejectID = tblQuarantine.RejectID INNER JOIN 

                      tblContentType ON tblQuarantine.MsgID = tblContentType.MsgID INNER JOIN 

                      tblMsgs ON tblContentType.MsgID = tblMsgs.MsgID 

WHERE (DATEDIFF(hour, tblQuarantine.MsgDate, GETDATE()) < 24) AND  

( (tblMsgs.Msg LIKE  N'%application/zip%') OR (tblMsgs.Msg LIKE N'%application/x-zip-compressed%')  ) 

ORDER BY tblMsgs.MsgID DESC 


It will look for all emails blocked within the past 24 hours and which have either application/zip or application/x-zip-compressed in their body (indicating a compressed attachment).

It may be a bit hard to get the actual message itself from the result set, so I've prepared a set of .asp pages you can use to run this query and click on a link to then download the .eml attachment:

http://www.logsat.com/SpamFilter/pub/SpamFilterBlockedZIPs.zip

To adapt to your environment simply change the path to the correct .UDL file defining your database connection in the file db_connect.asp.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window