Topic: Current practices to block executable attachments?

[Michail Pappas]

I am trying to find what is the best current practices regarding blocking executable file attachments from SME (via policy/config setting/Clamav/spamassassin or other way). I am interested in both *.exe/*.vbs attachments as well as compressed versions of these files.

For example, I stumbled upon the the foxhole databases http://sanesecurity.com/foxhole-databases/ but I am a bit clueless regarding their pros/cons on a production, 200-user mail server.

Any advice on what you use or to what to avoid?

[Stefano]

use the options in Email settings page
and, if you want, add other sigs to Clamav

[janet]

Michail Pappas

Select the file types of attachments you want to block.
This is the text from the Server Manager, Email panel, Executable content blocking screen

"You can block executable content in e-mail attachments by highlighting the executable attachment types you wish to block. E-mail containing these attachment types will be automatically returned to the sender."

[Michail Pappas]

IIRC, there  were no options to block .exe files within archives. Has this changed in 9.1?

Not interested in scanning at all, but rather block unconditionally.

[Stefano]

block zip files and you're done..

the unofficial sigs dbs can help too in RT email scanning

[Michail Pappas]

Blocking zip's in general will definitely be a problem.

So, the best practice is to add custom rulesets. I'll try that. Main fear is that Locky might pass through somehow, break havok on network shares and tape storage will not work for some reason...

EDIT: Actually, the sanesecurity foxhole_generic.cdb ruleset seems perfect for what I am looking for, which blocks "double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb."

This way, archives are not blocked in general (they shouldn't need to).

Has anyone managed to integrate them to SME?

[Michail Pappas]

Attempted to use the foxhole rulesets, but I could not get the script to download the rulesets. Thinking this was a misconfiguration on my part, I deinstalled the script and configs and installed the contrib from https://wiki.contribs.org/Clamav_unofficial_sigs

It still does not work, but it is a different topic altogether, at https://forums.contribs.org/index.php/topic,52353.0.html

[Michail Pappas]

There's a WAN policy that blocks my rsync attempt, so the case can be closed succesfully.

For the record though, and on topic, a kind Sanesecurity fella send me a mirror's direct links to download the foxhole signatures. I've installed (actually copied directly) 3 of them into /var/clamav and I am already seeing a lot of viruses being blocked. From yesterday:

Code: [Select]

...
2016-03-28 14:57:41.124529500 Algorithmic detection enabled.
2016-03-28 14:57:41.124529500 Portable Executable support enabled.
2016-03-28 14:57:41.124529500 ELF support enabled.
2016-03-28 14:57:41.124530500 Mail files support enabled.
2016-03-28 14:57:41.124532500 OLE2 support enabled.
2016-03-28 14:57:41.124533500 PDF support enabled.
2016-03-28 14:57:41.124533500 SWF support enabled.
2016-03-28 14:57:41.124533500 HTML support enabled.
2016-03-28 14:57:41.124537500 Heuristic: precedence enabled
2016-03-28 14:57:41.124537500 Self checking every 1800 seconds.
2016-03-28 14:57:41.124541500 Listening daemon: PID: 21205
2016-03-28 14:57:41.124545500 MaxQueue set to: 100
2016-03-28 15:28:29.916791500 SelfCheck: Database status OK.
2016-03-28 15:59:07.451770500 SelfCheck: Database status OK.
2016-03-28 16:00:40.397461500 /var/spool/qpsmtpd/1459170029:22448:0: Sanesecurity.Foxhole.Zip_fn121.UNOFFICIAL FOUND
2016-03-28 16:03:34.229635500 /var/spool/qpsmtpd/1459170208:22496:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 16:07:02.211004500 /var/spool/qpsmtpd/1459170416:22554:0: Sanesecurity.Foxhole.Zip_fn121.UNOFFICIAL FOUND
2016-03-28 16:10:54.178022500 /var/spool/qpsmtpd/1459170649:22644:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 16:23:43.154610500 /var/spool/qpsmtpd/1459171418:22838:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 16:25:29.697447500 /var/spool/qpsmtpd/1459171524:22853:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 16:32:59.601086500 SelfCheck: Database status OK.
2016-03-28 16:34:43.328232500 /var/spool/qpsmtpd/1459172078:22928:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 16:51:52.631865500 /var/spool/qpsmtpd/1459173107:23203:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 16:57:22.511869500 /var/spool/qpsmtpd/1459173437:23274:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 17:06:58.013503500 SelfCheck: Database status OK.
2016-03-28 17:08:14.422651500 /var/spool/qpsmtpd/1459174089:23446:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 17:44:55.062072500 SelfCheck: Database status OK.
2016-03-28 17:59:57.405862500 /var/spool/qpsmtpd/1459177191:24122:0: Sanesecurity.Foxhole.Zip_fn121.UNOFFICIAL FOUND
2016-03-28 18:15:24.140076500 SelfCheck: Database status OK.
2016-03-28 18:18:59.091598500 /var/spool/qpsmtpd/1459178334:24370:0: Sanesecurity.Foxhole.Zip_fn121.UNOFFICIAL FOUND
2016-03-28 18:48:06.062134500 SelfCheck: Database status OK.
2016-03-28 18:52:24.858641500 /var/spool/qpsmtpd/1459180339:24716:0: Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND
2016-03-28 18:57:22.766861500 Reading databases from /var/clamav
2016-03-28 18:57:33.650366500 Database correctly reloaded (4297777 signatures)
2016-03-28 19:28:46.152805500 SelfCheck: Database status OK.
2016-03-28 20:08:47.477592500 SelfCheck: Database status OK.
2016-03-28 20:42:21.019097500 SelfCheck: Database status OK.
2016-03-28 21:16:19.812025500 SelfCheck: Database status OK.
2016-03-28 21:47:03.506131500 SelfCheck: Database status OK.
2016-03-28 22:22:07.010233500 SelfCheck: Database status OK.
2016-03-28 23:07:20.512410500 SelfCheck: Database status OK.
2016-03-28 23:39:10.186538500 SelfCheck: Database status OK.
2016-03-28 23:46:01.837694500 /var/spool/qpsmtpd/1459197951:27208:0: Sanesecurity.Foxhole.Zip_fn121.UNOFFICIAL FOUND
2016-03-28 23:56:21.608978500 /var/spool/qpsmtpd/1459198575:27241:0: Sanesecurity.Foxhole.Zip_fn121.UNOFFICIAL FOUND
...

I used the low false-positive foxhole_filename.cdb, foxhole_generic.cdb and sanesecurity.ftm only. For more information regarding these files, see http://sanesecurity.com/foxhole-databases/

[nicolatiana]

I discovered that there is a few db variables concerning Clamav Unofficial Signatures (CUS), something like:

config setprop clamav-unofficial-sigs foxhole_generic.cdb ss foxhole_filename.cdb ss
expand-template /etc/clamav-unofficial-sigs/clamav-unofficial-sigs.conf

The CUS wiki page https://wiki.contribs.org/Clamav_unofficial_sigs should be completed with useful db commands like the above and/or other ones.

[Michail Pappas]

Certainly. Problem is that I can not carry out any tests with these settings.

Additionally, there was/is a thread in the forums here and and an accompanying bug report, asking for the contrib to be updated with the latest version of the script. If this is done, the new databases will be directly included, as well, as the capability to utilize the malwarepatrol and securiteinfo databases. As is, they can not be used, since the last two have gone the free-register way unfortunately.

Granted, the existing contrib could be partially utilised, even by those lacking script knowledge (like me). But perhaps it would be better to enhance the contrib, provided the dev who made it has free time to do so...

[Michail Pappas]

Additionally, there was/is a thread in the forums here and and an accompanying bug report, asking for the contrib to be updated with the latest version of the script.

The related thread: https://forums.contribs.org/index.php/topic,52217.0.html