Thread Info
  • Locked Locked
  • Replies 30 replies
  • Subscribers 5 subscribers
  • Views 24866 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail scanner does not detect incoming Malware.

JeffreyLewcock

I recieved a phishing email with an attachment, the mail was classed as spam and quarantined.

I released the mail from quarantine and once I was sure it was a phising email I forwarded it to the security department at the organisation it perported to come from.

I immeadiately got a bounce from my UTM that the mail had a malware attachment !!

"Your message to the following recipients was quarantined:

<phishing@hmrc.gsi.gov.uk>, quarantine reason: Malware (Troj/DocDl-HKN)

Please contact your IT administrator for further assistance."


This means that the scanner missed it on the way in !
I have no whitelisting to prevent any antivirus scanning and use dual scan.

UTM v9.411-3

This would appear as a rather severe bug

Jeff


This thread was automatically locked due to age.
Parents

  • Hi,

    what you haven't told us is your incoming mail setup.

    Do you use imap because the UTM doesn't scan imap currently only smtp and pop3.

    The malware would have been caught on the wayout by the smtp scanning.

    Please put ina feature request for imap scanning.

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to rfcat_vk

    Sorry,

    Came in via SMTP Proxy

    Was marked as spam, when I released it and forwarded I got the message.

     

    Log:

    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:51 firewall exim-in[7784]: 2017-02-15 13:50:51 H=(hmrcg0v.co.uk) [146.20.65.136]:54525 Warning: jimbojones.com profile excludes greylisting: Skipping greylisting for this message
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:51 firewall exim-in[7784]: 2017-02-15 13:50:51 H=(hmrcg0v.co.uk) [146.20.65.136]:54525 Warning: jimbojones.com profile excludes SANDBOX scan
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:50:52 firewall exim-in[7784]: 2017-02-15 13:50:52 [146.20.65.136] F=<service-jimbo=jimbojones.com@hmrcg0v.co.uk> R=<jimbo@jimbojones.com> Verifying recipient address with callout
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:13 firewall exim-in[7784]: 2017-02-15 13:51:13 1cdzyu-00021Y-1J DKIM: d=hmrcg0v.co.uk s=key c=relaxed/relaxed a=rsa-sha1 [invalid - public key record (currently?) unavailable]
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:14 firewall exim-in[7784]: 2017-02-15 13:51:14 1cdzyu-00021Y-1J <= service-jimbo=jimbojones.com@hmrcg0v.co.uk H=(hmrcg0v.co.uk) [146.20.65.136]:54525 P=esmtp S=146907 id=0.0.0.0.1D287917DA14CAC.1AC5FEA0@hmrcg0v.co.uk
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:14 firewall exim-in[7784]: 2017-02-15 13:51:14 SMTP connection from (hmrcg0v.co.uk) [146.20.65.136]:54525 closed by QUIT
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:20 firewall smtpd[7932]: SCANNER[7932]: 1cdzzM-00023w-Dv <= service-jimbo=jimbojones.com@hmrcg0v.co.uk R=1cdzyu-00021Y-1J P=INPUT S=145531
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-13:51:20 firewall smtpd[7932]: SCANNER[7932]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="146.20.65.136" from="service-jimbo=jimbojones.com@hmrcg0v.co.uk" to="jimbo@jimbojones.com" subject="HMRC Secure Communication" queueid="1cdzzM-00023w-Dv" size="145531" reason="as" extra=""
    /var/log/smtp/2017/02/smtp-2017-02-15.log.gz:2017:02:15-23:03:00 firewall exim-out[8786]: 2017-02-15 23:03:00 1cdzzM-00023w-Dv => jimbo@jimbojones.com P=<service-jimbo=jimbojones.com@hmrcg0v.co.uk> R=static_route_hostlist T=static_smtp H=My.LAN.IP.2 [My.LAN.IP.2]:25 C="250 2.0.0 Ok: queued as 929496086CE0"

  • in reply to JeffreyLewcock

    Thats ok. I remember when endpoint protection was first introduced,  did a lot of tests for endpoint protection vs UTM protection and he found results similar to yours. Some of the problems were fixed after his discoveries but sadly, now I see the quality of UTM detection is slipping again[:@] In any case thanks for the heads up.

     

    Edit: A false positive; which was my first inclination. Have taken out sophos bashing after Bob's findings below[:D]

  • in reply to Billybob

    UTM Endpoint on my laptop did not see anything bad, nor did virustotal.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks for taking the time Bob. I don't know what we would do without you[:D] I have edited my post above accordingly[;)]

  • in reply to Billybob

    Hi Bob and Billybob,

    Thanks for the help but am a bit confused

    Are you saying this is a false positive that has been detected by both OAS and outgoing mail scanner ?

    Jeff

  • in reply to JeffreyLewcock

    I don't know, Jeff.  I don't understand what happened to cleanse the message when it was forwarded to me, but that appears to be what happened.  Very strange.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    OK Thanks, I did open the file you returned to me. There were no alarms from UTM or Sophos Endpoint OAS but there was no content in the file.

    To check I tried to open the original and it still triggered the OAS as a virus.

    Jeff

  • in reply to JeffreyLewcock

    Wow, now that's some nifty malware, Jeff.  You might need to send the entire mail as an attachment instead of forwarding it.  Try sending it to me that way.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Still no update on this from Sophos !

    Doing their bang up job as normal !

  • in reply to JeffreyLewcock

    Just read thru this...

     

    Not sure it's actually detected, but you told the firewall to quarantine everything encrypted or unscannable.

    Meaning, if this attachment contain an encrypted file it will be quarantined - both inbound and outbound.

     

    I won't be the judge of positive or false positive here, but most infections at the moment is done by office file type macros.

    Sounds about right that a macro would decrypt a small vb script or program file, but that's the nasty thing these days - most virus scanners will not detect this kind of cloaking.

     

    Last week a new Torrentlocker ( yes, ransomware with file transfer ) hit northern Europe, attachment a .doc file apparently an invoice.. Nothings detects it, and if you enable the macros from word protected view .. well you lost!

     

    Check the analytics from virus total : https://www.virustotal.com/en/file/1108ac9fcea3d96d18b36865d04c26c62a9de2692ea4f2acef1d2bf01079fb69/analysis/1488287153/

    A very broad range of scanners will still not detect it.

     

    So, does it contain a virus - is it really the DocDl-HKN or was it just blocked because of a matching signature? Hard to tell, but most likely it's bad news and why education of users and family is still the best defense.

    Here at work we have disabled the quarantine option for encrypted content because its the only way our consultants can safely send script files etc to customers and each other. They are all well educated in not trusting everything they did not expect or ask for and to zip, password protect and encrypt files that would normally trigger the filter or outlook.

     

    To keep it short, not sure this is a product flaw so to speak, it's just at the moment almost impossible ( by design ) to detect this stuff.

  • in reply to Vels

    Hi Vels

     

    If you had read all the thread you would have seen that it WAS NOT detected inbound (IE It was delivered) and WAS detected outbound and by endpoint.

    If the outbound scan found it why did the inbound not and if false positive the reverese ?

     

    Jeff

Reply
  • in reply to Vels

    Hi Vels

     

    If you had read all the thread you would have seen that it WAS NOT detected inbound (IE It was delivered) and WAS detected outbound and by endpoint.

    If the outbound scan found it why did the inbound not and if false positive the reverese ?

     

    Jeff

Children
  • in reply to JeffreyLewcock

    Well , you might be right :-) and I did read that.. Also read you released it inbound from quarantine.

    Keeping it short here, on the cellphone.

    I am just speculating If the ham mails will get classified as malware If they were quarantined as cinfirmed ham in the first place.

    Thinking that outbound works the other way around, malware check first.

    It does sound strange though, as one should think the quarantine would be subject to malware scan even after a CS ("as") classification.

    Might get time during the week to test in a closed enviroment, and will report it if able to replicate it.

    Unexplaineble things are really annoying :-/

Unfiltered HTML