Thread Info
  • Locked Locked
  • Replies 16 replies
  • Subscribers 8 subscribers
  • Views 45246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Still no extension blocking within zip files?

JoergRiether
I hope i am wrong,, I really do, but could it be true that in 2015 UTM still can not check for blocked extensions (no i am not talking about mime types i am talking about stupid simple extensions like .js) inside zip archives? This was announced for 9.300. Seems to me the announcement was wrong and only covers mime types. PLEASE tell me i am wrong. Best, Joerg


This thread was automatically locked due to age.
Parents
  • Unfortunately this is still the case, files within archives (e.g. zip files) will not be scanned for blocked file types or blocked extensions.

    Instead you would need to use MIME types to block inside archive files. Once this is enabled you would also need to enable 'MIME Blocking Inspects HTTP Body' under Web Protection > Filtering Options > Misc.
Reply
  • Unfortunately this is still the case, files within archives (e.g. zip files) will not be scanned for blocked file types or blocked extensions.

    Instead you would need to use MIME types to block inside archive files. Once this is enabled you would also need to enable 'MIME Blocking Inspects HTTP Body' under Web Protection > Filtering Options > Misc.
Children
  • in reply to Emily
    Emily,

    thanks for the answer. Albeit is does not help at all. The bad guys will not follow your "standards" i guess.

    This has to be taken care of NOW! It is an impossible situation that the UTM still can´t handle such basic tasks.

    Best,
    Joerg
  • in reply to JoergRiether
    ähm. Anyone at Sophos like to comment on this? I find this is an impossible situation!
  • in reply to JoergRiether
    and why was this thread moved to web protection? it belongs to mail protection.
  • in reply to JoergRiether

    Moderators, please move this thread to Mail protection forum.

    I can confirm that behavior, having the Sophos PureMessage for Exchange behind the UTM at one of my clients catching everything that UTM missed:

  • in reply to Emily

    Hello!

    It's simple business task: block all JS inside ZIP (mail protection).

    It is really a new epidemic - JS downloaders that run encryption-virus. Endpoint AV don't help..., because it's 'legal' encryption. 

    JS looks like DOC, and users just click on it, especially in targeted attack.

  • in reply to AlexanderPopov

    It´s unbelievable Sophos has not covered this by now. It´s really unbelievable.

  • in reply to Emily

    Hello Emily,

    could please explain, why this setting "MIME Blocking Inspects HTTP Body" is necessary and in which cases it is necessary and recommend? Are there any disadvantages? Afaik this option is disabled by default. But why, when you know, that this is necessary to block by mimetype within archives?

    And the next question, where is the documentation about that? I would suggest a honest article in the knowledgebase about the current problems with blocking files and also with tips about the best settings.

    Best Regards

    Sebastian

  • in reply to JoergRiether

    Hello Joerg,

    did you already take a look into this? Pretty interesting.

    http://noxxi.de/research/sophos-utm-webprotection-bypass2.html

    I am really missing the documentation  about this "weaknesses" in the utm. I think its no good advertisement to get to know about this information on different websites (I also created an own thread for this), but not on the official sophos site. In this case im pretty disappointed about the way sophos cares about this... To put that into relation to other arguments: When someone is talking about feature requests for certain things, I´ve often read, that this or that feature will not be implemented for security reason, because it doesn´t fit into the product philosphy. I think theres somethong wrong in here...

    Regards

    Sebastian

  • in reply to seroal

    Sebastian,

    yeah - as I said - i find that unbelievable!

    I can tell you what I am doing: I do SMTP- and HTTP-chaining and put another good Multi-Engine AV Product behind our UTM. That catches all the configured attachments the UTM would let pass.

    Sophos HAS TO come around with a solution! This is no rocket science! The situation now - with SMTP only MIME types filtering by extensions within archives - to be honest - that makes me really sad.


    Thanks
    Joerg


  • in reply to JoergRiether

    Hi,

    out of my support case, I got this information: It´s a bug: Bug ID NUTM-3505

    But so far no date, when it will be solved....

Unfiltered HTML