Koozali.org: home of the SME Server

Block file types within zip files

Offline pizzaco

  • ***
  • 53
  • +0/-0
Block file types within zip files
« on: April 04, 2013, 06:19:34 PM »
I'm seeing malware that is compressed inside zip file attachments, which is effectively bypassing the content-type blocking that I have setup. For business reasons, I cannot block zip files.

I've checked the docs wiki and in Server-Manager, but haven't found a way to enable blocking inside of zip files. Am I missing something?

If not, is there any other way to block contents of zip files based on file-type, perhaps using a non-standard config or an extra software package?




Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Block file types within zip files
« Reply #1 on: April 04, 2013, 07:45:50 PM »
AFAIK clamav should scan zip files too (only if they are not password protected)

Offline pizzaco

  • ***
  • 53
  • +0/-0
Re: Block file types within zip files
« Reply #2 on: April 04, 2013, 08:37:12 PM »
This is zero-day type stuff where the defintions haven't been created yet. Since there's always going to be a lag between new malware and the definitions to detect it, I'd like to just stop it outright (with the understanding that I could be blocking legit attachments).

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Block file types within zip files
« Reply #3 on: April 05, 2013, 02:35:23 AM »
pizzaco

Quote
For business reasons, I cannot block zip files......, but haven't found a way to enable blocking inside of zip files.

The executable content blocking method sees the attachment as a zip file, so you must block zip files if you want to "block" other executable content that is within the zip file.

You need to adopt a different approach.

One approach to minimise exposure is to block ZIPv1 which are far more prevalent as viruses, and allow ZIPv2 which is a newer format being used moreso these days & seems to be less prevalent with viruses.

Alternatively block all zip files, ZIPv1 & ZIPv2, & ask people to send rar files.
Make that your system policy for security reasons, you have to decide which is worse, the damage & disruption caused by a virus infection, or user disruption due to being unable to send zip files (for which other methods exist). Some re-education of your users is required here.

WinRAR or similar is easily available & does compress to zip or rar formats, so for a user creating source zip or rar format files, there is very little difference for them to do.

You can also create a webshare or webdav (or similar) upload site so users who must or can only send zip files, can upload them to your server securely instead of emailing them. Then you can scan them when retrieving from the upload site.

Another approach is to have an external email account that you collect mail from using POP, and when any external users say they are unable to send to your normal email address, you ask then to use this special email address just for sending zip attachments. I suggest you do not freely advertise this address, you only give it to people on an "as needed" basis & monitor it carefully with a anti virus software on the workstation that accesses the POP account.

The methods outlined above work satisfactorily for me in a business environment.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline pizzaco

  • ***
  • 53
  • +0/-0
Re: Block file types within zip files
« Reply #4 on: April 09, 2013, 05:53:21 PM »
Thanks for the suggestions. After discussing with my manager, we're going to have to keep allowing ZIP files due to business needs. I'm wondering if a custom clam signature would do the trick here.

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Block file types within zip files
« Reply #5 on: April 09, 2013, 09:49:34 PM »
pizzaco

Quote
I'm wondering if a custom clam signature would do the trick here.

I think clam does scan within archive files, but if the definition does not yet exist then it will not find the embedded virus.
You can write your own signatures, but that is going to keep you very busy chasing new viruses, it does not sound practical to me.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline pizzaco

  • ***
  • 53
  • +0/-0
Re: Block file types within zip files
« Reply #6 on: April 09, 2013, 10:30:09 PM »
I'm thinking along the lines of a generic signature that matches against all Windows exes. The downside is that the nightly clam scan would detect/quarantine any exe file the server's hard drive. For our purposes, that probably wouldn't be an issue because we don't use it as a file server or store anything on it besides email.

Offline purvis

  • *****
  • 567
  • +0/-0
Re: Block file types within zip files
« Reply #7 on: April 10, 2013, 01:29:36 PM »
I am not so sure clamav does a very good job on zipped or archived files in emails.
After running other scanning software against emails and other server files located in the ibays, the scanners picked up files that should have been flagged by clamav for sure.
And I also saw warnings about some archived files even being encrypted from other antivirus software. Clamav never showed those warnings.
Actually one virus software scan with other software took over 12 hours and that other software seemed to be about the same speed as ClamAV took with the same files.
So for me. I am definitely questionable about effective ClamAV is. For a first scan, Clamav might be a quick first choice to use. If ClamAV's  file scan allows a file to get past it. I am not too sold on the file being trustworthy from my testing.