Thread Info
  • Locked Locked
  • Replies 30 replies
  • Subscribers 5 subscribers
  • Views 24837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail scanner does not detect incoming Malware.

JeffreyLewcock

I recieved a phishing email with an attachment, the mail was classed as spam and quarantined.

I released the mail from quarantine and once I was sure it was a phising email I forwarded it to the security department at the organisation it perported to come from.

I immeadiately got a bounce from my UTM that the mail had a malware attachment !!

"Your message to the following recipients was quarantined:

<phishing@hmrc.gsi.gov.uk>, quarantine reason: Malware (Troj/DocDl-HKN)

Please contact your IT administrator for further assistance."


This means that the scanner missed it on the way in !
I have no whitelisting to prevent any antivirus scanning and use dual scan.

UTM v9.411-3

This would appear as a rather severe bug

Jeff


This thread was automatically locked due to age.
Parents

  • Hi,

    what you haven't told us is your incoming mail setup.

    Do you use imap because the UTM doesn't scan imap currently only smtp and pop3.

    The malware would have been caught on the wayout by the smtp scanning.

    Please put ina feature request for imap scanning.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to rfcat_vk

    Sorry,

    Came in via SMTP Proxy

    Was marked as spam, when I released it and forwarded I got the message.

     

    Log:

    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:51 firewall exim-in[7784]: 2017-02-15 13:50:51 H=(hmrcg0v.co.uk) [146.20.65.136]:54525 Warning: jimbojones.com profile excludes greylisting: Skipping greylisting for this message
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:51 firewall exim-in[7784]: 2017-02-15 13:50:51 H=(hmrcg0v.co.uk) [146.20.65.136]:54525 Warning: jimbojones.com profile excludes SANDBOX scan
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:52 firewall exim-in[7784]: 2017-02-15 13:50:52 [146.20.65.136] F=<service-jimbo=jimbojones.com@hmrcg0v.co.uk> R=<jimbo@jimbojones.com> Verifying recipient address with callout
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:13 firewall exim-in[7784]: 2017-02-15 13:51:13 1cdzyu-00021Y-1J DKIM: d=hmrcg0v.co.uk s=key c=relaxed/relaxed a=rsa-sha1 [invalid - public key record (currently?) unavailable]
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:14 firewall exim-in[7784]: 2017-02-15 13:51:14 1cdzyu-00021Y-1J <= service-jimbo=jimbojones.com@hmrcg0v.co.uk H=(hmrcg0v.co.uk) [146.20.65.136]:54525 P=esmtp S=146907 id=0.0.0.0.1D287917DA14CAC.1AC5FEA0@hmrcg0v.co.uk
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:14 firewall exim-in[7784]: 2017-02-15 13:51:14 SMTP connection from (hmrcg0v.co.uk) [146.20.65.136]:54525 closed by QUIT
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:20 firewall smtpd[7932]: SCANNER[7932]: 1cdzzM-00023w-Dv <= service-jimbo=jimbojones.com@hmrcg0v.co.uk R=1cdzyu-00021Y-1J P=INPUT S=145531
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:20 firewall smtpd[7932]: SCANNER[7932]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="146.20.65.136" from="service-jimbo=jimbojones.com@hmrcg0v.co.uk" to="jimbo@jimbojones.com" subject="HMRC Secure Communication" queueid="1cdzzM-00023w-Dv" size="145531" reason="as" extra=""
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-23:03:00 firewall exim-out[8786]: 2017-02-15 23:03:00 1cdzzM-00023w-Dv => jimbo@jimbojones.com P=<service-jimbo=jimbojones.com@hmrcg0v.co.uk> R=static_route_hostlist T=static_smtp H=My.LAN.IP.2 [My.LAN.IP.2]:25 C="250 2.0.0 Ok: queued as 929496086CE0"

  • in reply to rfcat_vk

    Hi Rfcat

    I have checked my seting again and found nothing that excludes virus (Malware) scanning.

    I can only see two exclusions in the log I posted

    1) Greylisting, this is off by default

    2) Sandboxing, this requires a sandbox licence and is not enableable

    No rules applying to this mail prevent virus scan that I can tell, or am I being stupid ?

    Jeff

  • in reply to JeffreyLewcock

    My SMTP Settings

     

    My Only 3 exceptions are:-

  • in reply to JeffreyLewcock

    I have to admit, I am now in over my head and need a mail expert to review your log file.

    To me there seems many items there that raise flags with that site that somewhere there is a an exclusion list for this site.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to rfcat_vk

    Thanks anyway rfcat, at least it made me review my setup with care !

    I sent a set of test emails from here http://www.emailsecuritycheck.net

    Emails 1 and 2 were correctly dropped at SMTP transaction (Email 1 is confirmed spam, Email 2 contains EICAR-AV-Test)

    Emails 3-7 were quarantined correctly

    So it would appear that there is something about the Malware (Troj/DocDl-HKN) that gets missed, Thats not good !

    Jeff

  • in reply to JeffreyLewcock

    Jeff, I agree that this looks suspiciously like an undocumented feature.  Please get Sophos Support involved so that the developers can make sure that AV is run on messages released from Quarantine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks Bob,

    That was a serious bit of mind reading I was just thinking will anyone else reply when the notification came in !! Weird

    Anyway I'm a home user so I don't think I can get support can i ?

    Jeff

  • in reply to JeffreyLewcock

    You have a PM from me, Jeff, asking you to turn off scanning outbound momentarily so that you can send that to me.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    OK Thanks Bob

    I will do that

    Jeff

  • in reply to JeffreyLewcock

    Thanks, Jeff, but the mystery deepens...  It wasn't found to have a virus by either Avira or Sophos AV by our SMTP Proxy.  I'm hesitant to open the Word document as it contains an encrypted file.

    I'm sure they'd rather have this reported by you: Submitting samples of suspicious files to Sophos

    Cheers Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks Bob,

    No don't its not worth the risk !

    The weird thing is detecting it outbound !

    I will send the sample

    Jeff

Reply Children
  • in reply to JeffreyLewcock

    Just read thru this...

     

    Not sure it's actually detected, but you told the firewall to quarantine everything encrypted or unscannable.

    Meaning, if this attachment contain an encrypted file it will be quarantined - both inbound and outbound.

     

    I won't be the judge of positive or false positive here, but most infections at the moment is done by office file type macros.

    Sounds about right that a macro would decrypt a small vb script or program file, but that's the nasty thing these days - most virus scanners will not detect this kind of cloaking.

     

    Last week a new Torrentlocker ( yes, ransomware with file transfer ) hit northern Europe, attachment a .doc file apparently an invoice.. Nothings detects it, and if you enable the macros from word protected view .. well you lost!

     

    Check the analytics from virus total : https://www.virustotal.com/en/file/1108ac9fcea3d96d18b36865d04c26c62a9de2692ea4f2acef1d2bf01079fb69/analysis/1488287153/

    A very broad range of scanners will still not detect it.

     

    So, does it contain a virus - is it really the DocDl-HKN or was it just blocked because of a matching signature? Hard to tell, but most likely it's bad news and why education of users and family is still the best defense.

    Here at work we have disabled the quarantine option for encrypted content because its the only way our consultants can safely send script files etc to customers and each other. They are all well educated in not trusting everything they did not expect or ask for and to zip, password protect and encrypt files that would normally trigger the filter or outlook.

     

    To keep it short, not sure this is a product flaw so to speak, it's just at the moment almost impossible ( by design ) to detect this stuff.

  • in reply to Vels

    Hi Vels

     

    If you had read all the thread you would have seen that it WAS NOT detected inbound (IE It was delivered) and WAS detected outbound and by endpoint.

    If the outbound scan found it why did the inbound not and if false positive the reverese ?

     

    Jeff

  • in reply to JeffreyLewcock

    Well , you might be right :-) and I did read that.. Also read you released it inbound from quarantine.

    Keeping it short here, on the cellphone.

    I am just speculating If the ham mails will get classified as malware If they were quarantined as cinfirmed ham in the first place.

    Thinking that outbound works the other way around, malware check first.

    It does sound strange though, as one should think the quarantine would be subject to malware scan even after a CS ("as") classification.

    Might get time during the week to test in a closed enviroment, and will report it if able to replicate it.

    Unexplaineble things are really annoying :-/

Unfiltered HTML