PMG do not scan in ZIP archives?

N

nick

Renowned Member
Mar 28, 2007
364
1
83
Hello Proxmox team,

Today I realize that my PMG (proxmox-mailgateway/3.1/5773) do not scan correct the ZIP files. I receive a ZIP with an infected EXE inside and was pass trough the mail filter with no problems. Was stopped by internal mail server filter.

What I need to check in this case? I miss something in my configuration?

regards,
Nick
 
nick said:
Hello Proxmox team,

Today I realize that my PMG (proxmox-mailgateway/3.1/5773) do not scan correct the ZIP files. I receive a ZIP with an infected EXE inside and was pass trough the mail filter with no problems. Was stopped by internal mail server filter.

What I need to check in this case? I miss something in my configuration?

regards,
Nick
Click to expand...

please open a support case via https://my.proxmox.com, include a backup of your config and the email in raw format (*.eml).

in order to prevent filtering, add the *.eml file to a password protected zip file.
 
Hi Tom,

I can't give you the email because was rejected. All I have is the message received from the mail server. It's OK?
 
If you do not have the message, how to do know that it was really infected?

In any case, send all info what you have.
 
Hello Tom,

I investigate deep into the mail server log and appear to be a false alarm. The file was an EXE inside a ZIP file; because was encrypted, the mail server filter classify the content as possible virus and move in quarantine.

My concern is now: why the content with .exe was not blocked by PMG - I activate this in Rules: Block dangerous content?
 
you can block encrypted archives, see "Configurations/Virus Detector/Options: Block encrypted archives".
 
actually I my intention to block any EXE file (encrypted or not). I want to block them even if are into a ZIP file - or any other archive format.

It's possible?
 
first, block encrypted archives (see above).

second, create a new "what object" and add a "Archive Filter" to this object. As contenttype for this archive, select "application/x-ms-dos-executabe (exe)"

third, add/create a rule and use this object, e.g. remove the attachment in such a case.

this rule will also detect exe files inside zip (and similar). but only in NON encrypted archives.
 
Hi Tom,

your solution work correct. Only one observation; when someone try to send a PDF on email (these PDF's are protected again editing), the message is blocked:

Virus Info: Heuristics.Encrypted.PDF (clamav)

What we can do to avoid this? For moment the only solution was to disable "Block encrypted archives" option
 
You must log in or register to reply here.
Top Bottom