Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Discussion forum for Enterprise Edition.
Post Reply
delta2
Posts: 42
Joined: Mon Dec 20, 2004 7:25 am

Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by delta2 »

Mailenable does a great job at filtering attachments that are executables.

But we are seeing a lot of executables getting through in zip/rar files.

Is there any way to filter them too ?

It's a serious problem (CryptoLocker, etc.) !!!

Thanks. Stuart
Stuart

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by aahq »

I use the filter "where the message has attachments and added *.rar and *.zip to that. Send them to Quarantine.

Scott

delta2
Posts: 42
Joined: Mon Dec 20, 2004 7:25 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by delta2 »

@scott

Hi,

The problem is that I have a lot of valid .zip/.rar files passing through the system. I'd like to only intercept compressed files that contain executables. My biggest problem at the moment are compressed .exe and .js files !

Ciao. Stuart
Stuart

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by aahq »

Have a look at the filter "where the message has attachments"... it has all the exes, *.com, *.scr already listed that you are talking about :)

Easy fix.

Scott

delta2
Posts: 42
Joined: Mon Dec 20, 2004 7:25 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by delta2 »

@scott

so what option should I take for .exe in a .zip for your easy fix ?

Thanks. Stuart
Stuart

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by aahq »

Stuart,

OK. I think its easy.

Look at below from my pickup event.

Do a search on the net and find a freebie product called "munpack". It unpacks mime files.

Download 7Zip.

Create the c:\temp\original and c:\munpack\temp structures with munpack and 7Zip in the locations specified in the batch file.

Create a textfile c:\munpack (example) "SV-Unwanted.txt" here. Put inside this file what you want to get your filters to find... e.g Unwanted=Yes

What this does...

1. Makes a copy of your original message in a structure for safekeeping in case something goes wrong (and you can just drop back into your queue).
2. Unpacks the mime to a structure.
3. Looks for a .zip or .rar file in that structure and unarchives it.
4. If there is an exe it then uses a simple command line copy to add to your header(first line) for your unwanted.
5. It then puts this modified message back into the queue with your "unwanted=yes" line.
5. In your Filter you put in a "where its in the header" option for "Unwanted=Yes" then <Quarantine>, <forward>, <delete> or whatever

Watch it go!

You should create a schedule to cleanup the temp files created here every few weeks :)

You would pay a fortune to find something to do this. I think its pretty neat and all I need :)

Scott

---
Batch file below...
---

copy "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\temp\original

md "c:\munpack\temp\%1"

copy "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\munpack\temp\%1

c:\munpack\munpack -t -f -C c:\munpack\temp\%1 c:\munpack\temp\%1\%1

c:\7zip\7z e -oc:\munpack\temp\%1 -y c:\munpack\temp\%1\*.zip
c:\7zip\7z e -oc:\munpack\temp\%1 -y c:\munpack\temp\%1\*.rar

if exist c:\munpack\temp\%1\*.js COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.com COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.exe COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.vb COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.vb? COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.msi COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.dot COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.bat COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.cmd COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.inf COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.js? COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.exe COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.reg COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.scr COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.sys COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.shs COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by aahq »

I found out munpack wasnt decompressing mime64 stuff and some filenames correctly

so I added a second command line utility called "uudeview" to my batch file from

http://www.fpx.de/fp/Software/UUDeview/

I also have 7zip unpacking *.* rather than *.rar or *.zip (due to munpack not making extensions properly).

My script is at the bottom of this message.

-----------------

There are people complaining that Clam is not catching all the viruses etc. I am running Clam and Mcafee GW over some of these zips and they are just not being detected. I believe this is more the fault of the AV software and not ME.

As seen below one of the viruses I uploaded to Virustotal for testing is not picked up by many AV (conclusion AV suck).

I believe using the method of unpacking the message at MTA Pickup and nuking the message if it has exes in the zip is the only sure way to deal with Zero Day viruses and generally unwanted garbage.

-----------------

Virus Total Results on common zip virus:

VG JS/Downloader.Agent 20160331
Ad-Aware JS:Trojan.JS.Downloader.FE 20160331
Arcabit JS:Trojan.JS.Downloader.FE 20160331
Avira (no cloud) JS/Dldr.Locky.LQ 20160331
BitDefender JS:Trojan.JS.Downloader.FE 20160331
Cyren JS/Locky.Q.gen 20160331
ESET-NOD32 JS/TrojanDownloader.Nemucod.NO 20160331
Emsisoft JS:Trojan.JS.Downloader.FE (B) 20160331
F-Prot JS/Locky.Q.gen 20160331
F-Secure JS:Trojan.JS.Downloader.FE 20160330
GData JS:Trojan.JS.Downloader.FE 20160331
McAfee JS/Nemucod.fw 20160331
eScan JS:Trojan.JS.Downloader.FE 20160331
Rising JS:Trojan.DL-Locky!1.A4D0 [F] 20160331
Sophos Mal/JSDldr-B 20160331
ALYac 20160331
AVware 20160331
AegisLab 20160331
AhnLab-V3 20160330
Alibaba 20160323
Antiy-AVL 20160331
Avast 20160331
Baidu 20160331
Baidu-International 20160330
Bkav 20160330
CAT-QuickHeal 20160330
CMC 20160322
ClamAV 20160331
Comodo 20160331
DrWeb 20160331
Fortinet 20160330
Ikarus 20160330
Jiangmin 20160331
K7AntiVirus 20160330
K7GW 20160331
Kaspersky 20160331
Kingsoft 20160331
Malwarebytes 20160331
McAfee-GW-Edition 20160331
Microsoft 20160330
NANO-Antivirus 20160331
Panda 20160330
Qihoo-360 20160331
SUPERAntiSpyware 20160331
Symantec 20160331
Tencent 20160331
TheHacker 20160330
TrendMicro 20160331
TrendMicro-HouseCall 20160331
VBA32 20160331
VIPRE 20160331
ViRobot 20160331
Yandex 20160316
Zillya 20160331
Zoner 20160331
nProtect 20160330


-----------------
MTA Pickup Batch File:


copy "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\temp\original

md "c:\munpack\temp\%1"

copy "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\munpack\temp\%1

c:\munpack\munpack -t -f -C c:\munpack\temp\%1 c:\munpack\temp\%1\%1
c:\munpack\uudeview -i +e c:\munpack\temp\%1 c:\munpack\temp\%1\%1 > c:\munpack\temp\%1.log

c:\7zip\7z e -oc:\munpack\temp\%1 -y c:\munpack\temp\%1\*.*

if exist c:\munpack\temp\%1\*.js COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.com COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.exe COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.vb COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.vb? COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.msi COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.dot COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.bat COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.cmd COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.inf COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.js? COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.exe COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.reg COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.scr COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.sys COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.shs COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.docm COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"


C:\spam\spamassassin.exe --prefs-file="C:\spam\etc\spamassassin\user_prefs" --exit-code "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" > c:\temp\check\%1
IF ERRORLEVEL 1 GOTO Spam
IF ERRORLEVEL 0 GOTO End
GOTO End

:Spam
copy c:\temp\check\%1 "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"

GOTO End

:End

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by aahq »

Last was an old version of the script. This one works better. :)

----------

copy "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\temp\original

md "c:\munpack\temp\%1"

copy "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\munpack\temp\%1

c:\munpack\uudeview -i -o -d -p c:\munpack\temp\%1 c:\munpack\temp\%1\%1 > c:\munpack\temp\%1.log
c:\munpack\munpack -t -f -C c:\munpack\temp\%1 c:\munpack\temp\%1\%1

c:\7zip\7z e -oc:\munpack\temp\%1 -y c:\munpack\temp\%1\*.*

if exist c:\munpack\temp\%1\*.js COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.com COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.exe COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.vb COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.vb? COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.msi COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.dot COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.bat COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.cmd COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.inf COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.js? COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.exe COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.reg COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.scr COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.sys COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.shs COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"
if exist c:\munpack\temp\%1\*.docm COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"


C:\spam\spamassassin.exe --prefs-file="C:\spam\etc\spamassassin\user_prefs" --exit-code "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1" > c:\temp\check\%1
IF ERRORLEVEL 1 GOTO Spam
IF ERRORLEVEL 0 GOTO End
GOTO End

:Spam
copy c:\temp\check\%1 "D:\Program Files (x86)\Mail Enable\Queues\%2\Inbound\Messages\%1"

GOTO End

:End

kennymoody
Posts: 9
Joined: Tue Jan 11, 2011 3:52 am

Re: Filtering compressed (zip,rar) attachments containing executable (exe,etc) files.

Post by kennymoody »

This work very well to solve the attachment problem , blocking so many ransomware script , thx aahq for the solution ! :)

I have changed some code
1. fix 7zip cannot extract the file with password problem ,
the cmd console & 7zip console will hold on the background if you don't enter unzip password
2. use FOR loop to shorten the coding
3. create extension.txt so that you can easily add more file extension , just put *.exe *.bat each line
4. delete normal email automatically , only keep virus email

work well in windows 2012.

@echo off

set unwanted="no"

md "c:\munpack\temp\%1"

copy "C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Queues\%2\Inbound\Messages\%1" c:\munpack\temp\%1

c:\munpack\uudeview -i -o -d -p c:\munpack\temp\%1 c:\munpack\temp\%1\%1 >> c:\munpack\temp\%1\%1.log

"C:\Program Files\7-Zip\7z" e c:\munpack\temp\%1\*.* -y -oc:\munpack\temp\%1\ -p00000000

FOR /F %%i IN (c:\munpack\extension.txt) DO (if exist "c:\munpack\temp\%1\%%i" (
COPY "C:\munpack\sv-unwanted.txt"+"c:\munpack\temp\%1\%1" "C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Queues\%2\Inbound\Messages\%1"
set unwanted="yes"
Goto:eof
)
)

if %unwanted%=="no" ( rmdir c:\munpack\temp\%1 /s /q )

exit

Post Reply