Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
1
Replies

malware in unusual archives

ed.sherratt
Level 1
Level 1

‎09-03-2014 12:48 AM

Good Morning,

We've recently seen malware executables, in archive files, dropping through the ESA, even though there is a policy to quarantine all executables.

 

I suspect it's because the archives are an unusual type - ARJ - and may be specifically designed to evade ESA content scanning.

Do you know of a list of the archive types the ESA opens for content scanning? we can then build a failsafe policy for any archives that

are not content scanned.

 

Regards,

Ed

Labels:
0 Helpful
1 Reply 1

exMSW4319
Level 3
Level 3

‎09-19-2014 07:50 AM

ARJ isn't too big an issue if your recipients' desktops can't decrypt it, but we've had the same issue with ZIP/EXE which again our rules should have stopped regardless of malignancy. Unlike the ARJs, Message Tracking couldn't see these at all. In the end we were given the following CLI message filter to fix things:

 

Add_attachment_header:

If (attachment-filename == "^.+$")

{

Insert-header("X-Attachment-filename", "$filenames");

}

.

 

Seems to have done the trick, but as it was an invisible problem to start with I'm depending on sightings to be sure. We're going up from 7.5.1 in the near future to dodge the EOL on Sophos.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents