none
Inconsistent File Types Removal from .ZIP files RRS feed

  • Question

  • Antigen 9.2.1097 SP2 on a Win2K3 SMTP gateway.

    I'm having intermittent issues with specified file types not being consistently removed from .ZIP file attachments.

    For example, one .ZIP file attachment that contains an .SCR or .EXE file compressed within it might have the .SCR or .EXE file removed and replaced by the .TXT file that advises the user that the file has been quarantined.

    However others are going STRAIGHT THROUGH and directly into the user's inbox!  Just waiting for them to open the .ZIP file and double-click on the .EXE or .SCR file to get infected.

    The strangest thing to me is that sometimes they are removed and sometimes they are not.  Although in the "General Options" I have the "Skip Content Filtering for Allowed Mailhosts" enabled I have verified this is happening with messages coming in from domains and IP addresses that are NOT specified on any safe sender list and so am stumped by this seemingly intermittent behavior.  I also cannot seem to find any mention of anyone else having this issue.

    Does anyone have any idea what's going on?  Thanks.


    Sam

    Monday, May 19, 2014 2:34 PM

All replies

  • Hi,
    Based on the scan order when Antigen scans an e-mail message, if the allowed senders list functionality is enabled and a message is from a domain or address in the allowed senders list or allowed mailhosts list, the message is delivered to the recipient and the attachment scan is bypassed. I recommend you to check the above list to make sure those senders are not in the list.
    In addition, have you received any related error message in event log or record in incidents database and quarantine database?
    Best regards,
    Susie


    Thursday, May 22, 2014 6:45 AM
    Moderator
  • Hi Susie,

    I do know about the scan order and have scoured the "Allowed Senders" and "Allowed Mailhosts" lists to verify I'm not 'allowing' these messages to pass scan verification.

    I am off now to check the Windows event logs for any messaging related to the timestamps of the numerous samples of messages I have collected which did not have the .SCR and/or .EXE files stripped out of their .ZIP attachments at the times these samples came in.  However before I started that I wanted to write back to you because I'm not sure where to go for the 'incidents' or 'quarantine' databases can you point me in the right direction, Susie?

    Also on a related note I have attempted to use "Rejected Mailhosts" lists to block messages from IP address ranges that never send us anything but bad messages.  However I have not been able to find a way to specify actual ranges or blocks and so far have had to import hundreds of thousands of individual IP addresses into Rejected Mailhosts lists and this is very cumbersome to say the least.

    For example some ISP's have entire blocks of residential ASDL addresses none of which should be directly sending me anything via SMTP.  Is there anyway to specify that entire block for rejection as opposed to individual IP's?  Because specifying individual IP's as they send spam is pretty useless: spammers are sending one message per infected IP on a /16 (65536 IP addresses) or even GREATER address block.  And all this from places we never receive legitimate mail from in the first place.  If I could block these ranges effectively it would cut down enormously on the amount of these malicious payloads that are creeping in.

    Thanks so much,

    Sam


    Sam


    • Edited by HN_Support Thursday, May 22, 2014 2:33 PM Missing word.
    Thursday, May 22, 2014 2:32 PM
  • Actually Susie I just realized what you meant by "Incidents" and "Quarantine" database - I was thinking these would be special files somewhere but they are just the "Incidents" and "Quarantine" sections of the "Report" module in Antigen Administrator aren't they?

    So just ignore that question and I'll look at those plus the event logs to see if I can spot anything and report back to you.  In the mean time I''m still interested to know if there's a way to block IP address ranges.

    Thanks!


    Sam

    Thursday, May 22, 2014 2:46 PM
  • Susie I figured it out I should be using the PBL list as a rejected mail host as opposed to trying to enter all these IP addresses myself. 

    Since these messages we've been getting which contain infections that intermittently aren't being removed from within attached .ZIP files are coming from mostly IP addresses in the PBL I can solve the problem that way.

    Thanks again but I'm going to mark this reply to myself as the answer because I think it's the right approach to the problem.


    Sam

    • Marked as answer by HN_Support Sunday, May 25, 2014 5:48 PM
    • Unmarked as answer by HN_Support Wednesday, May 28, 2014 10:58 AM
    Sunday, May 25, 2014 5:47 PM
  • Hi,

    Good to hear that you have solved this issue. In addition, thanks for sharing so that it would be helpful to anyone who encounters similar issue.

    Have a good day!

    Best regards,

    Susie

    Monday, May 26, 2014 1:30 AM
    Moderator
  • Hi Susie,

    I'm sorry to say that this problem is not solved at all.  Last night around 10:30PM a number of my staff just got a message STRAIGHT THROUGH into their inboxes which contained a .ZIP file which has a .SCR file embedded straight within it and as far as I can tell it got through THREE antigen scanning functions.

    First of all here's a copy of the header with the actual recipient addresses and domain name obfuscated out for privacy:

    ------------------------------------------------------------------

    Received: from smtp2.ourdomain.ca (192.168.74.153) by SV007.OPC.ON.CA
     (192.168.73.157) with Microsoft SMTP Server id 14.3.181.6; Tue, 27 May 2014
     22:30:08 -0400
    Received: from localhost ([222.253.28.180]) by smtp2.ourdomain.ca with
     Microsoft SMTPSVC(6.0.3790.4675);     Tue, 27 May 2014 22:30:05 -0400
    Received: from 222.253.28.180(helo=dkymgyrxdlvcu.lqfcpag.ru) by localhost with
     esmtpa (Exim 4.69) (envelope-from ) id 1MM22Z-5350tf-2C for
     user@ourdomain.ca; Wed, 28 May 2014 09:30:06 +0700 Received: from
     222.253.28.180 (account fraud@aexp.com HELO ayxmdybmlfaz.gywoplwdcxerw.ua) by
     localhost (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 932256322 for
     user@ourdomain.ca; Wed, 28 May 2014 09:30:06 +0700
    Date: Wed, 28 May 2014 09:30:06 +0700
    From: Franklin.Meier <Franklin.Meier@citibank.com>
    X-Mailer: The Bat! (v2.00.2) Business
    X-Priority: 3 (Normal)
    Message-ID: <2495676399.J09GM84M501506@rornne.wytikggiid.su>
    To: <user@ourdomain.ca>, <user2@ourdomain.ca>,
        <d761d8b@ourcomain.ca>, <de9707c4@ourdomain.ca>,
        <emailuser3@ourdomain.ca>, <fuctw78kgngomlo@ourdomain.ca>,
        <fzdxerdqz@ourdomain.ca>, <user4@ourdomain.ca>,
        <user5@ourdomain.ca>, <jobs@ourdomain.ca>,
        <user6@ourdomain.ca>, <user7@ourdomain.ca>,
        <leadershipaward@ourdomain.ca>, <user8@ourdomain.ca>
    Subject: Loan Approved
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----------95D8838FD348E6A1"
    Return-Path: fraud@aexp.com
    X-OriginalArrivalTime: 28 May 2014 02:30:06.0814 (UTC) FILETIME=[BD26BFE0:01CF7A1C]
    X-MS-Exchange-Organization-AuthSource: SV007.OPC.ON.CA
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: citibank.com
    X-MS-Exchange-Organization-SenderIdResult: SoftFail
    Received-SPF: SoftFail (SV007.OPC.ON.CA: domain of transitioning
     Franklin.Meier@citibank.com discourages use of 222.253.28.180 as permitted
     sender)
    ----------------------------------------------------

    As I said this was around 10:30PM last night.  When I go into the incident log of antigen I see five other messages which tried to come in between 10:30:19 and 10:38:43 with the subject of "Loan Approved" from various @citibank.com addresses that were blocked straight away by CloudMark.

    Therefore from this I KNOW for a fact that I do not have the citibank.com domain white listed anywhere otherwise these other five messages would have made it through without CloudMark blocking them wouldn't they, Susie?

    Here's another thing:  while the source IP address 222.253.28.180 wasn't listed in the XBL until a couple hours after I received this message that entire 222.253.0.0/19 block is listed in the PBL as you can see for yourself at http://www.spamhaus.org/query/ip/222.253.28.180.  I mention this because I have this installation of Antigen for SMTP gateway configured to use both the XBL and PBL block lists AND I have seen it use them to successfully block other messages that were on those lists!

    This is an address block I would have no reason to white list and also a review of my Allowed Mailhosts lists shows no IP address above the 217.110.0.0 /15 block range.  (ie' I am not white listing 222.253.28.180)

    So in summary there's up to 3 scans that antigen completely missed on this message:

    1) Potentially CloudMark because there were 5 other messages very much like this one blocked around the same time this one came in.

    2) Most likely the PBL list.  While I didn't check AT the time this message came in it's pretty unlikely that block was not listed at that time .  Also in other situations I HAVE seen messages like this skipped and immediately checked to see that there were on the PBL AT THE TIME they came in! and...

    3) ABSOLUTELY definitely it missed stripping the .SCR file out of the .ZIP attachment! I see it stripping other .SCR's out of other .ZIP attachments all day long.  Why did it miss this one?

    Again - this isn't the first time Susie and it's apparently intermittent.  I'm writing back to you with all these details to see if you can think of something else?  How can Antigen just be mysteriously skipping over a known bad message every now and again?

    Background: Installed to a Wk3 SP2 server with all the updates in a DMZ.  Antigen for SMTPS's is the only application installed to that server and there are no antivirus programs installed to it.

    Do you have any ideas what I can do about this, Susie?  These malcious payloads are getting straight through to my user's inboxes and it's only a matter of time before someone gets tricked into launching one of them!!

    PS:  I have also checked the Event log to see at from 10:13:00 to 10:13:01PM antigen successfully checked for CloudMark engine updates (there were none).  Then there's five CloudMark"Loan Approved" messages from random @citibank.com (forged) email addresses blocked at 10:30:19, 10:30:20, 10:34:50, 10:35:44, & 10:38:43 PM.  But there's NO mention at all of this message I'm writing to you about occurring at 10:30:06PM in the event log!!  Also no mention at all of anything regarding this missed message in Quarantine either.

    Thx,

    Sam


    Sam



    • Edited by HN_Support Wednesday, May 28, 2014 11:49 AM changed 'even' to event
    Wednesday, May 28, 2014 11:44 AM
  • Hi,

    Thanks for your feedback.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best regards,

    Susie


    Thursday, May 29, 2014 2:56 AM
    Moderator
  • Hi Susie,

    Thanks for the update.  I wanted to let you know that also today antigen skipped matching a couple of message to an "Allowed Mailhosts" list.  That is to say a similar problem but in reverse:  instead of failing to match against a blocked list it failed to match on an allowed list.

    What happened is I got two messages stamped as "SUSPECT" for keywords when their sending IP addresses were in an "Allowed Mailhosts" list.  I'm thinking this information may be useful to you because you should also know that this particular "Allowed Mailhosts" list has never failed me before.

    However Antigen *IS* checking against other "Rejected Mailhosts" and other "Allowed Senders" lists just fine.

    Also so that you know this type of thing started happening when I was trying to add millions of IP addresses to Rejected Mailhosts in my misguided attempts to block certain IP Address ranges which I only found out later I should have been doing by using an appropriate RBL Server such as the pbl.spamhaus.org which I NOW have configured.

    Also so that you know I have not disabled but rather have removed entirely those millions of IP addresses lists entirely from the Rejected Mailhosts now.

    However removing them hasn't seemed to resolve the issue so I'm not even sure it's what caused the problems in the first place I just thought I'd mention in case it's important.

    Thanks!


    Sam

    Thursday, May 29, 2014 3:36 AM
  • Hi,

    Thanks for your reply. Below is the reply from the supporter:

    “I would like to know the enabled engines on Antigen in Antivirus Scan Job, Definition updates and Quick scan Job.

    Please make sure all the retired engines are disabled. Please find the list of expired engines in below article:

    http://technet.microsoft.com/en-us/forefront/dd940095.aspx

    Make sure all the enabled engines have latest updates.

    MALWARE SUBMISSION:

    If the attachments contains executables, kindly submit the malware detected email in password protected file to Microsoft Malware Submission: https://www.microsoft.com/security/portal/submission/submit.aspx

    SPAM SUBMISSION:

    http://support.microsoft.com/kb/924951/en-us

    I have attached a word document on enabling RBL servers setting in antigen, please go through the same and let me know if you have any queries or concerns. “

    In addition, if the above is not helpful, we recommend you to contact Microsoft support to fix it:

    http://support.microsoft.com/contactus/?ln=en-au#find_store

    Best regards,

    Susie


    Friday, May 30, 2014 6:41 AM
    Moderator
  • Hi Susie,

    The list of currently enabled antivirus engines are: Authentium Command Antivirus, Kaspersky Antivirus Technology, Microsoft Antimalware Engine, and Norman Virus Control.

    On the "Scanner Updates" tab all of the above are enabled plus the "Antigen Worm List" and "Cloudmark Authority Engine" are enabled.

    I don't seem to be able to find a "Quick Scan Job" area however there is a "Scan Job" tab which has an "SMTP Scan Job" listed and enabled.  It lists Virus Scanning, File Filtering, Content Filtering, Keyword Filtering, Mailhost Filtering, and Spam Scanning as all "On".

    As per your suggestion I have verified that all of the retired engines are disabled and all of the enabled engines are listed updated as of today.

    We always submit false-negative spam samples as per your Spam Submission link.  I will also submit any malware attachments that get through from now on however I'd rather just have the file filtering function work since all .SCR & .EXE files WILL be malware regardless of if there are signatures existing for them or not.  (And these days it's usually 'not', right?)

    However in your recent response to me you pasted "I have attached a word document on enabling RBL servers setting in antigen, please go through the same and let me know if you have any queries or concerns. “ however I do not see any such word document?

    Please advise.

    Sam

    Monday, June 2, 2014 11:04 AM
  • Hi,

    Sorry for the delay.

    Since the supporter cannot reply in this forum and he asked me to reply for him. The below is the email that he sent to me:

    "After going through the forum I am little bit confused about the issue which customer is facing right now. I have noticed that customer have mentioned below issues with Antigen.

    1. Customer mentioned that when someone sends an email with ZIP file as an attachment and if the that ZIP file includes SCR or EXE files they are getting replaced with TXT file and this is fine but sometimes this configuration is not working. IE. a ZIP attachment which consist of SCR and EXE files are not filtered by Antigen and are getting delivered to end user.

    2. Customer also mentioned that these malicious email are coming from those IP’s which are already on PBL list. So in this scenario if customer is willing to work on RBL related issue it would be completely different than the above mentioned issue and we/customer may need to create another ticket for it.

    3. Customer mentioned that few similar emails were blocked by Cloud Mark engine but one messages skipped the filtering and was delivered to few users.

    Please inform customer that Cloud Mark will perform SPAM filtering and it won’t perform Virus filtering. Now I would like to know what is the issue? SPAM filtering is not working appropriately or ZIP attachment consisting SCR and EXE files are getting delivered to end users.

    As per the case title and comments of customer in forum I am assuming that customer’s main concern is to block ZIP files which includes SCR and EXE files. If my understanding it correct then I would like to get below information from customer.

    1. How email routing is configured?
    2. How many Antigen for SMTP servers they have in their environment?
    3. Are there specific users which are receiving these unfiltered emails with attachment? If customer have noticed any similarity regarding this.
    4. Would like to get original message header information of emails from ZIP files which consist SCR/EXE file has been removed AND of emails from ZIP files which consist SCR/EXE was not removed.
    5. Would like to get Screenshot of the settings configured in Antigen Follow this steps =
      1. Click on SETTINGS > GENERAL OPTIONS.
      2. FILTERING > FILE FILTERING
      3. FILTERING > FILTER LIST

    As of now I need above information and I would update you if I need more information than this. If in case we need to collect diagnostics information from the customer then we may have to ask customer to create a case with support team."

    Best regards,

    Susie

    Thursday, June 12, 2014 6:45 AM
    Moderator
  • Hi Susie,

    The main and initial issue that we are experiencing is in fact inconsistent file types removal from within .ZIP attachments of messages coming into the SMTP email gateway server as per the title of this thread.  The other apparently different issues I've mentioned having to do with allowed and rejected mailhosts lists as well as the RBL and CloudMark services are included in my posts for two reasons:

    1) They are my attempts to get antigen to stop these incoming bad attachments messages through other means and
    2) ALL of the issues I mentioned appear to be suffering from the same general problem which is that each of these methods was seeming to work inconsistently or put another way to not work on an intermittent basis.

    However I am content here to just focus on the inconsistent file types removal issue specifically because that is the most dangerous problem in terms of end users accidentally launching some infected attachment that should have been removed due to the fact that those particular file type extensions (.SCR & .EXE)have been specified in a "File Names" list yet sometimes are not removed.

    On that note I am quite aware that the CloudMark engine is only removing SPAM and *not* virus filtering however my mentioning it in this thread is to point out how many of the different filtering mechanisms in antigen in general seem to be having intermittent issues functioning as I would expect them to.  I do understand that the spam filtering process is complex and could have been working fine even though it missed one that appeared to be just like the others and so I would say at this point lets not worry about that CloudMark example I wrote about and focus instead on the intermittent "file names" lack of removal issue.

    To answer your questions:

    1) Email routing:  Email comes into a Win2K3 server in a DMZ.  This server is configured with the Microsoft SMTP Virtual SMTP server in
    IIS to send and receive email.  An Exchange 2010 Mailbox, CAS, and Hub Transport server on the LAN sends outgoing messages to it and receives incoming messages from it.

    2) There is only the one Antigen SMTP server in the DMZ as above.

    3) So far as I've noticed (although up until now haven't been tracking this specifically) both messages which are correctly having the
    .SCR & .EXE files replaced by an antigen notification messages within their .ZIP file attachments as well as those which are allowing
    them through are to various email addresses.  The same email address, for example could get both messages where the malicious file was removed and then again others where it was not.  As you'll see in the perfect examples that follow the same message with the same content was sent twice to the same user and for the first one the "Attachment20.05.xls.scr" in the attached "Attachment20.05.zip" file was NOT removed and in the second one the same .xls.scr file name WAS removed from a .ZIP file with the exact same name!!

    4a) Message header information from an email message where the scr/exe file was NOT removed:

    Received: from xxx(192.168.74.153) by SV007.OPC.ON.CA
     (192.168.73.157) with Microsoft SMTP Server id xxx; Tue, 20 May 2014
     10:33:19 -0400
    Received: from YMBMOAGKII ([xxx]) by xxx with
     Microsoft SMTPSVC(6.0.3790.4675);     Tue, 20 May 2014 10:32:24 -0400
    Return-Path: <xxx>
    From: Suzanne Browning <xxx>
    Content-Type: multipart/alternative;
        boundary="Apple-Mail=_935883FD-6A1B-3AC8-E3FC-BA4A654FFF1C"
    Subject: Order confirmation
    Message-ID: <64A74FB1-F725-1FDD-5A22-605A95C5DB13@aurorajimenez.com>
    Date: Tue, 20 May 2014 18:32:32 +0700
    To: <xxx>
    MIME-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
    X-Mailer: Apple Mail (2.1508)
    X-Spam: Not detected
    X-Mras: Ok
    X-OriginalArrivalTime: 20 May 2014 14:32:25.0757 (UTC) FILETIME=[51DEA4D0:01CF7438]
    X-MS-Exchange-Organization-AuthSource: SV007.OPC.ON.CA
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: aurorajimenez.com
    X-MS-Exchange-Organization-SenderIdResult: None
    Received-SPF: None (SV007.OPC.ON.CA: slothn396@aurorajimenez.com does not
     designate permitted sender hosts)


    4b) Message header information from an email message where the scr/exe file WAS successfully removed:

    Received: from xxx (192.168.74.153) by SV007.OPC.ON.CA
     (192.168.73.157) with Microsoft SMTP Server id xxx; Tue, 20 May 2014
     10:38:10 -0400
    Received: from xxx([151.226.79.18]) by
     xxx with Microsoft SMTPSVC(6.0.3790.4675);     Tue, 20 May 2014
     10:37:28 -0400
    Return-Path: xxx
    From:xxx
    Content-Type: multipart/alternative;
        boundary="Apple-Mail=_A56BCE04-48FF-72E0-2209-3153026105E2"
    Subject: Order confirmation
    Message-ID: <A007C0C1-6983-E9E1-5E2C-ABA5DD1D6F6E@auspextech.com>
    Date: Tue, 20 May 2014 11:38:14 +0000
    To: xxx
    MIME-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
    X-Mailer: Apple Mail (2.1508)
    X-Spam: Not detected
    X-Mras: Ok
    X-OriginalArrivalTime: 20 May 2014 14:37:29.0210 (UTC) FILETIME=[06BDE5A0:01CF7439]
    X-MS-Antispam-Report: v=2.1 cv=DN62vU9b c=1 sm=1 tr=0 a=x4apgz2beyDwXHW9w/LfMw==:117 a=x4apgz2beyDwXHW9w/LfMw==:17 a=jSdwR6F8jqoA:10
    
    a=BgvOYFJOAAAA:8 a=WY3eBg3WAAAA:8 a=W4o2BI1IsXbpuIUfiBwA:9 a=u2jcfygL8-M9V-p2:21 a=UGWtvuawD4KTD8Kw:21 a=CjuIK1q_8ugA:10
    
    a=KYGr0j8BduwA:10 a=9Jn314amLDsA:10 a=eonn8m4wBK5V7EJgCOoA:9 a=Ce0acvNB1N2aq8Pm:21 a=JX1csRqI7xIdwf4Y:21 a=P3edsc8KkikA:10
    
    a=7OGxUaAPuFQA:10 a=LiBTxXFXZzkAJ5LWve4A:9 a=UnvGgoRMwMDk7pQUtTQA:14 a=IKIoO-ieCDEA:10
    X-MS-Exchange-Organization-AuthSource: SV007.OPC.ON.CA
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: auspextech.com
    X-MS-Exchange-Organization-SenderIdResult: None
    Received-SPF: None (SV007.OPC.ON.CA: britonsooi85@auspextech.com does not
     designate permitted sender hosts)

    5a) General Options screen shots:

    (more screen shots in next messsage)


    Sam




    Thursday, June 12, 2014 3:48 PM
  • 5b) File Filtering


    5c) Filter List (wasn't sure which one you wanted??)

    Thanks again!


    Sam

    Thursday, June 12, 2014 3:49 PM
  • Hi,

    Thanks for your reply.

    I contacted with the supporter and he recommended you to create a new case in this forum with us as they cannot provide workspace details in the forum, then we will surely contact you and will work further on this issue.

    In addition, since your last post contained the email addresses which may expose your privacy, I replace it with xxx. Thanks for your understanding and support.

    Best regards.

    Susie

    Tuesday, June 17, 2014 3:18 AM
    Moderator