Attachments rules by name, but even in archives

[Pavel Hruška]

Hi folks, I've experienced ransomware attack that originated from email attachment. The fact that the infected file passed through all checks (ClamAV on PMG, even local AV) forces me to think about tightening the rules a bit more here.

We are using Windows clients only (for end users) and I have to say that I have quite bad experience with ClamAV detection so far (quite a lot of emails passed it's checks and were catched by local AV on last mile only).

Easy and possible way to make email more secure here (and probably not only here) is to define strict policy what kind of attachments are allowed to pass (or are not allowed to pass). I can define such policy in PMG, but I am out of luck if such attachment is wrapped by ZIP or any other archiver - and that is quite common practice.

What I would like to do is to scan all common archives - e.g. zip, rar, 7z. Rules are simple:

• email with dangerous attachment file name (direct or in archive) will be blocked (or put in quarrantine),
• encrypted or anyhow unparsable archives will be blocked, too.
• possibility to add exceptions (from, to) to bypass such rules is welcome.

I don't think it is possible to configure PMG in such way out of the box. Any ideas how to implement this? Any experience with amavisd-new, which seems to be used a lot together with postfix?

Is anybody in PMG team aware of this, any chance to have such feature out of the box in future?

Thank you.

 

[Stoiko Ivanov]

You can quite directly scan for files inside common archives in PMG - just create a 'What Object' that contains an 'Archive Filter' instead of a 'Content Type Filter' (the Archive filter matches the attachment if its inside an archive or not - e.g. an archive filter for content type 'application/msword (doc)' matches .doc if they are directly attached or attached inside a ZIP file).

The one thing which is currently not implemented (but we plan on adding it) is a Filename match inside an archive filter.

You can add exceptions by creating a rule with higher priority which accepts the mail from certain senders (or one which blocks them for a blacklist)

regarding encrypted archives: These are usually detected by ClamAV as 'Heuristic.EncryptedArchive' (or something like that) - and ClamAV heuristics get assigned a certain Spam Score - you can use that to match those files as having a high spamscore. For this you need to do the following settings in PMG:
* Configuration->Virus Detector -> Options -> Block encrypted archives and documents needs to be enabled
* Configuration->Spam Detector -> Options -> Heuristic score needs to be set the score you want to assign to such mails (something high so you can catch them with a What Object of 'Spam Level 7' or so

I hope this helps!

 

[Pavel Hruška]

Thank you for quick reply. Looks promising and I will give it a try, but I have some thoughts on this topic:

• for encrypted archives I already used to have "Block encrypted archives and documents" checked, but I've incereased heuristic score from default value 3 something higher. Does it mean that email that will have positive match on heuristic scans (as from docs: Encrypted Archives/Documents, Google Safe Browsing database, PhishingScanURLs, ...) will get that score assigned?
• I am not sure about the Content Type of the attachments itself. The most important question for me is: where is it generated? On sender side? I am really not sure, sorry if I am wrong. I mean can I relly on this value? Cannot that be spoofed by a sender? Is it for sure that "application/x-ms-dos-executable (exe)" matches all and every executable? So hopefuly "File Match" is comming soon, it is much more clear for me as when protecting Windows clients. More info about when it would be available?

Now what I REALLY miss in docs is a bit more specification about archives:

• what type of archives are supported,
• is/isn't this feature recursive, if it is, how many nested archives will be checked,
• what happens if the archive cannot be opened (failed to open for any reason) - I do not want such attachments to be delivered, encrypted or corrupted archives with possibility that client somehow opens it.

Where can I get answers on such questions other than "try-fail-repeat"?

Thank you.

 

[Stoiko Ivanov]

for encrypted archives I already used to have "Block encrypted archives and documents" checked, but I've incereased heuristic score from default value 3 something higher. Does it mean that email that will have positive match on heuristic scans (as from docs: Encrypted Archives/Documents, Google Safe Browsing database, PhishingScanURLs, ...) will get that score assigned?

yes

I am not sure about the Content Type of the attachments itself. The most important question for me is: where is it generated? On sender side? I am really not sure, sorry if I am wrong. I mean can I relly on this value? Cannot that be spoofed by a sender? Is it for sure that "application/x-ms-dos-executable (exe)" matches all and every executable?

it is determined via the xdg_mime_get_mime_type_from_data function - so it tries to determine it via the contents of the file (falling back to the mime-type based on the filename (extension), defaulting to application/octet-stream.
Should work more reliably than the file-name matches (which can also be spoofed)

what type of archives are supported,

The list can be found on the top of /usr/share/perl5/PMG/Unpack.pm

is/isn't this feature recursive, if it is, how many nested archives will be checked,

yes it is recursive (for 4 levels)

I hope that helps

Regarding the documentation improvments you can create an enhancement request at https://bugzilla.proxmox.com - please provide details of what you would like to see improved (that helps in actually implementing it)

Thanks!

 

[hata_ph]

Just to ask, may I know what rules or option to enable clamav to scan archive files?