Blocking Executables that are imbedded in a zip file 2

[GHG]

By rule we do not allow any executables past our firewall. However, the current virus/worm (Mydoom, W32.Novarg) got past our firewall imbedded in a ZIP file. Fortunately for us our people are trained not to open zip file when they are not expecting them. For business reasons we have to pass zip files .... We receive a major portion of our art work via zip files.

Can anyone suggest a way that zip files attachments could be checked for any executables and if present rejected?

Thanks Much,
GHG B-)

 

[lgarner]

We use ScanMail (

http://www.trendmicro.com)

for antivirus and it's been bouncing them right and left. I don't know about universally blocking .exe's in .zip's.

 

[Davetoo]

We use Symantec's Corporate with the Exchange add-on and it looks into the zip files and finds virus/worm files.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[GHG]

Thanks Folks for the prompt reply.

We use Symantec AntiVirus/Filtering for Microsoft Exchange and once the signature files where updated it started quarantining those zip files that have a virus.

What I'm trying to do is try and stop infections before the signature are updated.

Thanks Again,
GHG B-)

 

[Davetoo]

Well, unfortunately, if you let the .zip files through, there would be no other way to stop an infection like this since it was literally brand new. Consider that it takes time for the virus/worm to spread, some users have to get infected before the companies get the reports of the problem, then they have to prepare the updates for us to get. All that takes time, during which others are infected.

After all, there has to be an infection before there can be a cure.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[Davetoo]

Sorry..hit the Enter button too soon...

What I did was temporarily block .zip files at the firewall until we could get a handle on what was going on and take other steps to stop any further infections.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[crobin1]

Do you block other attachment types (.exe, .bat, etc), and if so does Symantec not look for those in Zip files? We use Sybari's Antigen, and it will search through Zip files for any attachment types we block and delete them, whether they have a virus or not. It is sometimes a pain for legitimate files, but it really saved us from this stupid virus.

 

[GHG]

Yea ... I know someone has to get infected before there can be a cure.
Thanks anyway ... If I come up with something I'll let you know,
GHG B-)

 

[BUILDINGITC]

FYI - The WatchGuard Firewall does not open the ZIP files and only checks the top layer attachment file type. Regretfully if you allow ZIP files then you run the risk of infected embedded attachments getting through. See part of WatchGuard's virus response email below. You can identify the machines infected by watching the port specified for traffic. Anyone with more info please share your thoughts to help GHG out.

-------------------------

Suggestions for Firebox II / III owners
MyDoom uses many attachment types. The Firebox II and III's SMTP Proxy blocks most of MyDoom's attachments by default. However, it doesn't block ZIP files by default. You can follow the steps below to block ZIP files either temporarily or permanantly. Since MyDoom uses different file names, blocking it requires you to block all ZIP files. Note that this procedure stops your users from receiving any ZIP file, whether malicious or not.

If you have an SMTP Proxy icon in the WatchGuard Policy Manager, double-click the icon, then go to Properties tab => Incoming => Content Types tab => check for "*.zip" in the box labeled "Deny attachments based on these file name patterns." If you see *.zip in the list, your Firebox is configured to block this virus. If you don't see .zip in the list, click the Add button and type *.zip.

If you don't have an SMTP Proxy icon in the WatchGuard Policy Manager, go to: Edit => Add Service => Proxies => SMTP => Add => OK. The newly enabled service blocks the worm by default.
When it successfully infects a machine, MyDoom seems to open a connection using TCP port 3127 in an attempt to allow the virus author access to your machine. We recommend blocking this port, both Incoming and Outgoing. To do this, click "Edit => Add Service => New." Name the service whatever you want (e.g., Block_MyDoom_Trojan) and click "Add." Choose TCP port 3127, and for "Client Port," choose Ignore from the drop-down menu, and click "OK" twice to add the service to the list of services. Now, double-click the new service to add it to your configuration. Change both Incoming and Outgoing to "Enabled and Denied" and press "OK." Make sure to save this change to your Firebox This change will not prevent the worm from infecting you, but it should prevent the virus' backdoor from reaching the author.

 

[GHG]

I got thinking .... could we write a Custom Policie in Symantec Mail Secruity to Quartine zip files with executables imbedded?

GHG B-)

 

[paulha]

We block all zip files, (innoculate 6, exchange option) but have one exception where the file allowed through has its name based on our domain name.

i.e. if we were microsoft.com, we can send and receive microsoft.zip with no problems, as both ways it 99.99% has to be from a trusted source. All other .zip are blocked.

Cheers

Paul