locked
MSFCS Not detecting malware RRS feed

  • Question

  • I installed MSFCS with clientsetup /nomom option in a remote windows 2003 server (leased from GoDaddy).

    I have received 13 emails in the last 3 days with a zip attachment asking the receipient to install a file that exists inside the attachment.

    MSFCS does not detect any threats in those emails (Real Tiime Protection is on).

    If I run a manual scan, the result is the same: No threats.

    I decided to send a sample to Microsoft Malware Protection Center.
    They answered:

    If you were to scan the files you submitted using Microsoft's Forefront Client Security product, you would      see relevant detection information similar to what is displayed below.
    The detection results for the file(s) in your submission are as follows:
    Submitted Files
    =============================================
    B0001714884-nws1.msg [Trojan:Win32/Oficla.E]
    +---(part0002_module.zip) [Trojan:Win32/Oficla.E]
    +---utility.ex_ [Trojan:Win32/Oficla.E]

    I checked my MSFCS setup and everything seems to be ok.
         Real time protection is on. 
         Antivirus definition version is 1.71.26.0
         Check for updated definitions before scanning is checked.
         Scan the contents of archived files and folder for potential threats is checked.
    I checked and both the Antimalware and State Assesment services are running.

    The emails are being filtered by my mail server as spam, so I have access to the original files.

    The messages are in files with the .msg extention.

    I copied them to a new folder and ran a manual scan again. MSFCS says there is no threat in any of the 13 files.

    As you can imagine, this is worrying me, a lot.

    Any ideas about what can be the problem?

    Thanks,
    Thursday, November 19, 2009 4:57 PM

Answers

  • The problem was not the FCS definitions.

    I got the malware  to be detected:

    In the server:
         I copied the email file into my inbox.
         I opened it using IE through my web mail interface.
         When I tried to save the zip file to the server file system, FCS detected and deleted the malware.

    In my PC:
        I copied the email file into my inbox (in the server).
        I retrieved the email using Outlook.
        I saved the zip file to my pc file system (no MSE action was triggered).
        I right clicked the zip file and selected a manual scan on it.
        Microsoft Security Essentials detected and deleted the malware.

    My conclusion is that FCS and MSE were not able to "see through" the email envelop.

    It would be beter if they could do it, and did not have to wait for the zip file to be in the file ystem.

    Thanks for the help.
    • Marked as answer by SergioTorres Saturday, November 21, 2009 12:15 AM
    Saturday, November 21, 2009 12:09 AM

All replies

  • I added the files to a zip file and dowloaded them to my pc.

    I exploded the files under my documents\new folder

    I ran a manual scan using Microsoft Security Essentials.

    The result was the same: No threats.

    ?
    Thursday, November 19, 2009 5:03 PM
  • Hi,

     

    Thank you for the post

     

    Please connect Microsoft Update to update the FCS definitions and re-scan the files see if it works.

     

    Regards,


    Nick Gu - MSFT
    Friday, November 20, 2009 6:21 AM
    Moderator
  • The problem was not the FCS definitions.

    I got the malware  to be detected:

    In the server:
         I copied the email file into my inbox.
         I opened it using IE through my web mail interface.
         When I tried to save the zip file to the server file system, FCS detected and deleted the malware.

    In my PC:
        I copied the email file into my inbox (in the server).
        I retrieved the email using Outlook.
        I saved the zip file to my pc file system (no MSE action was triggered).
        I right clicked the zip file and selected a manual scan on it.
        Microsoft Security Essentials detected and deleted the malware.

    My conclusion is that FCS and MSE were not able to "see through" the email envelop.

    It would be beter if they could do it, and did not have to wait for the zip file to be in the file ystem.

    Thanks for the help.
    • Marked as answer by SergioTorres Saturday, November 21, 2009 12:15 AM
    Saturday, November 21, 2009 12:09 AM
  • FCS DOES NOT scan inside any compressed/zipped files on REALTIME scanning.  This is not an option neither on Realtime Scanning.  The performance hit will be too high and CPU intensive to extract/scan contents of anything that is considered a compressed archive on system which we leveraged this only on Manual Scans.  This feature should be in the next release of FEP but the current FCS version doesn't support scanning within the compressed files
    John
    Tuesday, September 7, 2010 8:00 PM