Print Page | Close Window

Help suggestion to filter virus

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
Printed Date: 22 February 2024 at 11:49pm

Topic: Help suggestion to filter virus
Posted By: meatboy
Subject: Help suggestion to filter virus
Date Posted: 22 October 2015 at 1:43am
I have a user who is regularly getting an email bearing a zipped attachment. The attachment contains a file "swift copy.exe" which is the virus payload. The zip file name seems to change name and I cannot block zip files. We do have virus checking within Spamfilter ISP active that does not seem to pick it up.

Is there any suggestion on how to block this?

Thank you.


Posted By: LogSat
Date Posted: 22 October 2015 at 8:23am
Tim, if you can forward the zip to us at support at logsat dot com we'll have the virus added to the definition updates within a few hours.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: meatboy
Date Posted: 22 October 2015 at 6:21pm
Hi Roberto,

that could be a bit tricky to get a copy. The end users desktop AV picks it up.
Here is Trend  Micro's alert if that helps


Endpoint: PC

Domain: xxxxxxxx

File: C:\Users\PC\AppData\Local\Microsoft\Windows Live Mail\EE China -  66f\???\7CE64DB9-0010A22C.eml (swift copy.exe)

Date/Time: 22/10/2015 8:29:26

Result: Unable to send the quarantined file to the designated quarantine folder


I was hoping for perhaps some kind of keyword that would pick up the file name within the zip file?
One other issue I may have is this could be coming from a whitelisted user but I can clear out the whitelist and manually check them.


Posted By: LogSat
Date Posted: 22 October 2015 at 10:00pm
When there are waves of viruses as the one you are being, most of the times some of the infected emails will be stopped by SpamFilter even before they are scanned by the antivirus. This happens as other filters will detect the malicious emails based on the IP and/or email address of the sender.

In this case, you can easily use SpamFilter's quarantine to search for these emails. You are looking for emails in the quarantine that have a .zip attachment. To do so, you can use this query against the database:

SELECT     TOP (100) tblMsgs.MsgID,  tblQuarantine.MsgDate, tblRejectCodes.RejectID, tblRejectCodes.RejectDesc, tblQuarantine.RejectDetails, 

                      tblQuarantine.QuarID, tblQuarantine.EmailFrom, tblQuarantine.Subject, tblMsgs.Msg

FROM         tblRejectCodes INNER JOIN 

                      tblQuarantine ON tblRejectCodes.RejectID = tblQuarantine.RejectID INNER JOIN 

                      tblContentType ON tblQuarantine.MsgID = tblContentType.MsgID INNER JOIN 

                      tblMsgs ON tblContentType.MsgID = tblMsgs.MsgID 

WHERE (DATEDIFF(hour, tblQuarantine.MsgDate, GETDATE()) < 24) AND  

( (tblMsgs.Msg LIKE  N'%application/zip%') OR (tblMsgs.Msg LIKE N'%application/x-zip-compressed%')  ) 


It will look for all emails blocked within the past 24 hours and which have either application/zip or application/x-zip-compressed in their body (indicating a compressed attachment).

It may be a bit hard to get the actual message itself from the result set, so I've prepared a set of .asp pages you can use to run this query and click on a link to then download the .eml attachment:

To adapt to your environment simply change the path to the correct .UDL file defining your database connection in the file db_connect.asp.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Print Page | Close Window