Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Help suggestion to filter virus
  FAQ FAQ  Forum Search   Register Register  Login Login

Help suggestion to filter virus

 Post Reply Post Reply
Author
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Topic: Help suggestion to filter virus
    Posted: 22 October 2015 at 10:00pm
When there are waves of viruses as the one you are being, most of the times some of the infected emails will be stopped by SpamFilter even before they are scanned by the antivirus. This happens as other filters will detect the malicious emails based on the IP and/or email address of the sender.

In this case, you can easily use SpamFilter's quarantine to search for these emails. You are looking for emails in the quarantine that have a .zip attachment. To do so, you can use this query against the database:

SELECT     TOP (100) tblMsgs.MsgID,  tblQuarantine.MsgDate, tblRejectCodes.RejectID, tblRejectCodes.RejectDesc, tblQuarantine.RejectDetails, 

                      tblQuarantine.QuarID, tblQuarantine.EmailFrom, tblQuarantine.Subject, tblMsgs.Msg

FROM         tblRejectCodes INNER JOIN 

                      tblQuarantine ON tblRejectCodes.RejectID = tblQuarantine.RejectID INNER JOIN 

                      tblContentType ON tblQuarantine.MsgID = tblContentType.MsgID INNER JOIN 

                      tblMsgs ON tblContentType.MsgID = tblMsgs.MsgID 

WHERE (DATEDIFF(hour, tblQuarantine.MsgDate, GETDATE()) < 24) AND  

( (tblMsgs.Msg LIKE  N'%application/zip%') OR (tblMsgs.Msg LIKE N'%application/x-zip-compressed%')  ) 

ORDER BY tblMsgs.MsgID DESC 


It will look for all emails blocked within the past 24 hours and which have either application/zip or application/x-zip-compressed in their body (indicating a compressed attachment).

It may be a bit hard to get the actual message itself from the result set, so I've prepared a set of .asp pages you can use to run this query and click on a link to then download the .eml attachment:

http://www.logsat.com/SpamFilter/pub/SpamFilterBlockedZIPs.zip

To adapt to your environment simply change the path to the correct .UDL file defining your database connection in the file db_connect.asp.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
meatboy View Drop Down
Newbie
Newbie


Joined: 26 June 2006
Status: Offline
Points: 18
Post Options Post Options   Thanks (0) Thanks(0)   Quote meatboy Quote  Post ReplyReply Direct Link To This Post Posted: 22 October 2015 at 6:21pm
Hi Roberto,

that could be a bit tricky to get a copy. The end users desktop AV picks it up.
Here is Trend  Micro's alert if that helps


Virus/Malware: TROJ_ZEMOT.XXTVT

Endpoint: PC

Domain: xxxxxxxx

File: C:\Users\PC\AppData\Local\Microsoft\Windows Live Mail\EE China -  66f\???\7CE64DB9-0010A22C.eml (swift copy.exe)

Date/Time: 22/10/2015 8:29:26

Result: Unable to send the quarantined file to the designated quarantine folder

 

I was hoping for perhaps some kind of keyword that would pick up the file name within the zip file?
One other issue I may have is this could be coming from a whitelisted user but I can clear out the whitelist and manually check them.

thanks

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 22 October 2015 at 8:23am
Tim, if you can forward the zip to us at support at logsat dot com we'll have the virus added to the definition updates within a few hours.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
meatboy View Drop Down
Newbie
Newbie


Joined: 26 June 2006
Status: Offline
Points: 18
Post Options Post Options   Thanks (0) Thanks(0)   Quote meatboy Quote  Post ReplyReply Direct Link To This Post Posted: 22 October 2015 at 1:43am
Hi,
I have a user who is regularly getting an email bearing a zipped attachment. The attachment contains a file "swift copy.exe" which is the virus payload. The zip file name seems to change name and I cannot block zip files. We do have virus checking within Spamfilter ISP active that does not seem to pick it up.

Is there any suggestion on how to block this?

Thank you.

Tim
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.074 seconds.