PureMessage (Read Only)

Discussions Invoice Malware & Doc files

PureMessage (Read Only) requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 7 replies
Subscribers 1 subscriber
Views 21076 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invoice Malware & Doc files

Jam_Man over 9 years ago

We have been seeing, over several customers, that Puremessage has been putting a lot of messages into quarantine that really should be deleted.

The messages are fake invoices with a *.doc attachement which according to a quick search contains a macro virus.

An example being http://sanesecurity.blogspot.co.uk/2015/03/linsen-parts-uk-ltd-invoice-from-linsen.html

The problem with this is that a user still gets notified of the item and can still download it.

Our Pure message is set at 90 to delete messages and these seem to score 82-84 or so.

We have filtered some buy using athe subject, but others are craftier with a subject that keeps changing.

Any ideas or recommendations how to stop these other than reducing the delete threshold ?

This thread was automatically locked due to age.

Parents

0 kk20 over 9 years ago

In the end this was resolved by giving sophos a copy of the infected file. It wasnt on their list.
Fast forward to today and we are getting another flood of these .doc files. Basically the same as before, these files are (at heart) DRIDEX downloader word macro virus files - it took me a couple of minutes to look at the file and realise it is identical except the web address of the malware. After uploading the attachment, virustotal.com lists other AV vendors recognising the file as a virus but annoyingly sophos reported it clean (even the desktop endpoint didnt pick the file up when I saved the attachment to my PC).
So it seems we are getting flooded because sophos are slow on their definition updates, SMTP scanning works fine and explains why (after sophos eventually updating their virus definitions) exchange store scanning will work and pick up the virus from people who havent deleted it.
Not good and certainly a consideration for our renewal come November.
:57539
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 kk20 over 9 years ago

In the end this was resolved by giving sophos a copy of the infected file. It wasnt on their list.
Fast forward to today and we are getting another flood of these .doc files. Basically the same as before, these files are (at heart) DRIDEX downloader word macro virus files - it took me a couple of minutes to look at the file and realise it is identical except the web address of the malware. After uploading the attachment, virustotal.com lists other AV vendors recognising the file as a virus but annoyingly sophos reported it clean (even the desktop endpoint didnt pick the file up when I saved the attachment to my PC).
So it seems we are getting flooded because sophos are slow on their definition updates, SMTP scanning works fine and explains why (after sophos eventually updating their virus definitions) exchange store scanning will work and pick up the virus from people who havent deleted it.
Not good and certainly a consideration for our renewal come November.
:57539
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data