Help suggestion to filter virus |
Post Reply |
Author | |
meatboy
Newbie Joined: 26 June 2006 Status: Offline Points: 18 |
Post Options
Thanks(0)
Posted: 22 October 2015 at 1:43am |
Hi,
I have a user who is regularly getting an email bearing a zipped attachment. The attachment contains a file "swift copy.exe" which is the virus payload. The zip file name seems to change name and I cannot block zip files. We do have virus checking within Spamfilter ISP active that does not seem to pick it up. Is there any suggestion on how to block this? Thank you. Tim |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Tim, if you can forward the zip to us at support at logsat dot com we'll have the virus added to the definition updates within a few hours.
|
|
meatboy
Newbie Joined: 26 June 2006 Status: Offline Points: 18 |
Post Options
Thanks(0)
|
Hi Roberto,
that could be a bit tricky to get a copy. The end users desktop AV picks it up. Here is Trend Micro's alert if that helps Virus/Malware: TROJ_ZEMOT.XXTVT Endpoint: PC Domain: xxxxxxxx File: C:\Users\PC\AppData\Local\Microsoft\Windows Live Mail\EE China - 66f\???\7CE64DB9-0010A22C.eml (swift copy.exe) Date/Time: 22/10/2015 8:29:26 Result: Unable to send the quarantined file to the designated quarantine folder I was hoping for perhaps some kind of keyword that would pick up the file name within the zip file? One other issue I may have is this could be coming from a whitelisted user but I can clear out the whitelist and manually check them. thanks |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
When there are waves of viruses as the one you are being, most of the times some of the infected emails will be stopped by SpamFilter even before they are scanned by the antivirus. This happens as other filters will detect the malicious emails based on the IP and/or email address of the sender. In this case, you can easily use SpamFilter's quarantine to search for these emails. You are looking for emails in the quarantine that have a .zip attachment. To do so, you can use this query against the database: SELECT TOP (100) tblMsgs.MsgID, tblQuarantine.MsgDate, tblRejectCodes.RejectID, tblRejectCodes.RejectDesc, tblQuarantine.RejectDetails, tblQuarantine.QuarID, tblQuarantine.EmailFrom, tblQuarantine.Subject, tblMsgs.Msg FROM tblRejectCodes INNER JOIN tblQuarantine ON tblRejectCodes.RejectID = tblQuarantine.RejectID INNER JOIN tblContentType ON tblQuarantine.MsgID = tblContentType.MsgID INNER JOIN tblMsgs ON tblContentType.MsgID = tblMsgs.MsgID WHERE (DATEDIFF(hour, tblQuarantine.MsgDate, GETDATE()) < 24) AND ( (tblMsgs.Msg LIKE N'%application/zip%') OR (tblMsgs.Msg LIKE N'%application/x-zip-compressed%') ) ORDER BY tblMsgs.MsgID DESC It will look for all emails blocked within the past 24 hours and which have either application/zip or application/x-zip-compressed in their body (indicating a compressed attachment). It may be a bit hard to get the actual message itself from the result set, so I've prepared a set of .asp pages you can use to run this query and click on a link to then download the .eml attachment: http://www.logsat.com/SpamFilter/pub/SpamFilterBlockedZIPs.zip To adapt to your environment simply change the path to the correct .UDL file defining your database connection in the file db_connect.asp.
|
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.168 seconds.