This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail scanner does not detect incoming Malware.

I recieved a phishing email with an attachment, the mail was classed as spam and quarantined.

I released the mail from quarantine and once I was sure it was a phising email I forwarded it to the security department at the organisation it perported to come from.

I immeadiately got a bounce from my UTM that the mail had a malware attachment !!

"Your message to the following recipients was quarantined:

<phishing@hmrc.gsi.gov.uk>, quarantine reason: Malware (Troj/DocDl-HKN)

Please contact your IT administrator for further assistance."


This means that the scanner missed it on the way in !
I have no whitelisting to prevent any antivirus scanning and use dual scan.

UTM v9.411-3

This would appear as a rather severe bug

Jeff


This thread was automatically locked due to age.
  • UTM Endpoint on my laptop did not see anything bad, nor did virustotal.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for taking the time Bob. I don't know what we would do without you[:D] I have edited my post above accordingly[;)]

  • Hi Bob and Billybob,

    Thanks for the help but am a bit confused

    Are you saying this is a false positive that has been detected by both OAS and outgoing mail scanner ?

    Jeff

  • I don't know, Jeff.  I don't understand what happened to cleanse the message when it was forwarded to me, but that appears to be what happened.  Very strange.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    OK Thanks, I did open the file you returned to me. There were no alarms from UTM or Sophos Endpoint OAS but there was no content in the file.

    To check I tried to open the original and it still triggered the OAS as a virus.

    Jeff

  • Wow, now that's some nifty malware, Jeff.  You might need to send the entire mail as an attachment instead of forwarding it.  Try sending it to me that way.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Still no update on this from Sophos !

    Doing their bang up job as normal !

  • Just read thru this...

     

    Not sure it's actually detected, but you told the firewall to quarantine everything encrypted or unscannable.

    Meaning, if this attachment contain an encrypted file it will be quarantined - both inbound and outbound.

     

    I won't be the judge of positive or false positive here, but most infections at the moment is done by office file type macros.

    Sounds about right that a macro would decrypt a small vb script or program file, but that's the nasty thing these days - most virus scanners will not detect this kind of cloaking.

     

    Last week a new Torrentlocker ( yes, ransomware with file transfer ) hit northern Europe, attachment a .doc file apparently an invoice.. Nothings detects it, and if you enable the macros from word protected view .. well you lost!

     

    Check the analytics from virus total : https://www.virustotal.com/en/file/1108ac9fcea3d96d18b36865d04c26c62a9de2692ea4f2acef1d2bf01079fb69/analysis/1488287153/

    A very broad range of scanners will still not detect it.

     

    So, does it contain a virus - is it really the DocDl-HKN or was it just blocked because of a matching signature? Hard to tell, but most likely it's bad news and why education of users and family is still the best defense.

    Here at work we have disabled the quarantine option for encrypted content because its the only way our consultants can safely send script files etc to customers and each other. They are all well educated in not trusting everything they did not expect or ask for and to zip, password protect and encrypt files that would normally trigger the filter or outlook.

     

    To keep it short, not sure this is a product flaw so to speak, it's just at the moment almost impossible ( by design ) to detect this stuff.

  • Hi Vels

     

    If you had read all the thread you would have seen that it WAS NOT detected inbound (IE It was delivered) and WAS detected outbound and by endpoint.

    If the outbound scan found it why did the inbound not and if false positive the reverese ?

     

    Jeff

  • Well , you might be right :-) and I did read that.. Also read you released it inbound from quarantine.

    Keeping it short here, on the cellphone.

    I am just speculating If the ham mails will get classified as malware If they were quarantined as cinfirmed ham in the first place.

    Thinking that outbound works the other way around, malware check first.

    It does sound strange though, as one should think the quarantine would be subject to malware scan even after a CS ("as") classification.

    Might get time during the week to test in a closed enviroment, and will report it if able to replicate it.

    Unexplaineble things are really annoying :-/