Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 21076 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invoice Malware & Doc files

Jam_Man

We have been seeing, over several customers, that Puremessage has been putting a lot of messages into quarantine that really should be deleted.

The messages are fake invoices with a *.doc attachement which according to a quick search contains a macro virus.

An example being http://sanesecurity.blogspot.co.uk/2015/03/linsen-parts-uk-ltd-invoice-from-linsen.html

The problem with this is that a user still gets notified of the item and can still download it.

Our Pure message is set at 90 to delete messages and these seem to score 82-84 or so.

We have filtered some buy using athe subject, but others are craftier with a subject that keeps changing.

Any ideas or recommendations how to stop these other than reducing the delete threshold ?

:56308


This thread was automatically locked due to age.
  • 0

    We are seeing the same issue with a variety of clients as well. 

    We usually have Puremessage set to deliver suspected spam and append *SPAM* to the subject.  At the moment all of these emails are filtering through PureMessage with virus attachments intact and sitting in the users inbox. 

    It seems to be a little while later that the messages are being scanned and that attachments removed and replaced with a txt file.  This would suggest that Sophos AV/definitions are seeing the viruses but I dont understand why the messges are not being deleted on the intial scan by Pure Message?

    I have submitted some of the sample emails to Sophos.

    :56330
  • 0

    Same problem for us, puremessage is ignoring the .doc macro virus attachments.  Later on they are deleted.  However, they are all initially delivered to the inbox. 

    edit:  pure message AV is set to "normal" scan.  What does "extensive" scan do?  I recommends enabling only by technical support.

    :57256
  • 0

    Ticket opened and SDU submitted.  If I get a resolution i'll post here.

    :57298
  • 0

    In the end this was resolved by giving sophos a copy of the infected file.  It wasnt on their list.

    Fast forward to today and we are getting another flood of these .doc files.  Basically the same as before, these files are (at heart) DRIDEX downloader word macro virus files - it took me a couple of minutes to look at the file and realise it is identical except the web address of the malware.  After uploading the attachment, virustotal.com lists other AV vendors recognising the file as a virus but annoyingly sophos reported it clean (even the desktop endpoint didnt pick the file up when I saved the attachment to my PC).

    So it seems we are getting flooded because sophos are slow on their definition updates, SMTP scanning works fine and explains why (after sophos eventually updating their virus definitions) exchange store scanning will work and pick up the virus from people who havent deleted it. 

    Not good and certainly a consideration for our renewal come November.

    :57539
  • 0

    after submitting the file yesterday I noticed a multitude of

    Server: SATURN_EMAIL_02

    ============================================================

    Incident information:

    Event: Virus infection detected

    Location: BHX8728621.doc

    Replaced with text: Yes

    Virus name(s): Troj/DocDl-QH

    being generated now.  Plus I cannot upload the file to virustotal anymore as endpoint detects as a virus. 

    I very much doubt I am the only recipient of a 0 day virus (especially as virustotal already had other vendors recognising the file as a virus).

    Not happy with sophos at all with this.  DRIDEX and variants are not new.

    :57562
  • 0

    Hello,

    We have exactly same problem.

    Sophos PureMessage for Exchange sees nothing pass for him everything is clean.

    :58047
  • 0

    Hi,

    I'd like to follow up on two comments in this thread:

    'being generated now.  Plus I cannot upload the file to virustotal anymore as endpoint detects as a virus.'

    This indicates that SophosLabs did not have detection available at the time the viral email was received and that later it was added - so this detection problem would affect any product using the Sophos engine, both PureMessage and Sophos Endpoint Security and Control on the client.

    'I very much doubt I am the only recipient of a 0 day virus. DRIDEX and variants are not new.'

    DRIDEX may not be new, but the particular threat would be new. Even for a single variant such as Troj/DocDl-QH, where the QH signifies this as the 452nd variant (17x26+10, Q meaning the 17th set of 26 variants), each variant can have hundreds of different files (or hashes) associated with it, with new hashes being added on a daily basis as new threats emerge.

    This was almost certainly a snowshoe spam campaign:

    https://blogs.sophos.com/2014/11/21/snowshoe-spam-is-on-the-rise-what-can-be-done-about-it/

    For the PureMessage product you can add additional protection by enabling the below Content scanning options within the 'On suspicious/restricted attachment' section:

    Microsoft Excel Containing Macros
    Microsoft Word Containing Macros

    Note: It is advised to Quarantine these messages as you may receive valid documents containing macros

    Below is a product statement providing more information on snowshoe spam:

    Hello everyone, on behalf of the Product Teams and SophosLabs, I’’’’d like to provide you with an update on the snowshoe spam situation that has been affecting some customers recently.

    In recent months we’’’’ve seen an increase in sophisticated spam campaigns that are evading our anti-spam engines. Techniques such as “Snowshoe” spread spam over many different IP addresses, in low volume bursts making it extremely difficult to proactively detect and block new variants quickly.  This is an industry wide challenge and is in no way unique to Sophos.
    Our Labs and engineering teams are working actively to develop new techniques to stop these new campaigns and we will automatically roll-out these capabilities for our customers as they become available.
    It’’’’s important to note that we are still achieving over a 99% catch rate for spam, and have been consistently running at 99.5% and higher for a very long time leading up to this. Until recently, customers have been accustomed to seeing very little spam, and many still are. This recent dip has therefore been particularly noticeable to customers and end users affected by these recent snowshoe campaigns.

    More information on the snowshoe spam issue and what can be done about it, has been published in a recent blog article:  Snowshoe Spam is on the Rise – What can be done about it?

    While we have been challenged by these new emerging spam techniques across our entire line of email products, the impact has been most noticeable for customers of PureMessage Exchange.  We would like to encourage PureMessage Exchange customers to consider adding one of our secure email gateway products such as the Sophos Email Appliance (SEA) or the Sophos UTM with Email Protection.  These gateway products can often provide better catch-rates as they operate on the edge of the company network with greater access to Live Internet look-ups and context, catching more spam before it hits the mail server.  For many customers, the SEA in virtual form is already included in their bundle license.  And those customers who just have an Endpoint Protection license should definitely consider upgrading to a bundle that includes email protection that includes the SEA, or  alternatively licensing our UTM.

    Regards,

    Reginald

    :58080
Unfiltered HTML