Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Sophos issues - any other solutions? (Virus scanning in Zips :()
  •  
mcholdings

Messages: 24
Karma: 0
Send a private message to this user
We have a real issue with the Sophos scanning in Kerio Control - it doesn't scan inside ZIP's.

It will at the firewall (control), but we don't run our mailserver through the Kerio Firewall - the load increase was too much for it and our mail was stupid slow. So our mailserver is 'in the wild' and protected with a different firewall.

That leaves us with the internal virus scanning only. But it won't scan inside ZIP files.

And now, with the amount of malware coming through ZIP files, we have had to block them.

2 solutions?

1 - allow scanning inside of
2 - allow content rules inside ZIP's to be run. Eg, don't allow exe, even if in a zip.

For example - I have 250ish users, and have blocked 74 ZIP files in the last 10 hours - everyone a virus (New voicemail is the subject - and since we email voicemails to our staff, many aren't smart enough to realize the email looks different and opens it). I can't allow this much 'rubbish' through the firewall, but blanket zip blocking isn't helpful for those with a valid need.....

Does anyone have any other solutions?

There is a 'suggestion' for this, but it only has 15 votes and no notes from Kerio that they are looking at...
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Would be interesting to know which version of kerio you're using. And I guess Kerio already scans .zip files, because we just changed to kerio and had that problem before, but that's in the past now.
  •  
mcholdings

Messages: 24
Karma: 0
Send a private message to this user
I'm on the latest control and connect.

Connect doesn't scan inside files - the only way you can is if you pass all your mail through your control firewall first, which significantly slows things down..... I would rather since it has and uses sophos natively on kerio control, it would use it for archives as well...
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Sophos in Kerio Connect does scan inside ZIP files.
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
So I didn't see it wrong Smile

Might be you should reduce the sophos update cycle to about 2 hours, was helping me with 2-3 mails per day with .zip + exe in it.

And btw. - Virusscan in Mail is ok, on firewall too but you REALLY need to protect your clients too (from your postings I guess that you don't). Viruses etc. won't only come in mails and over the net, there are also usb sticks, compromised websites, infected cd's (even from the distributor). IF you don't have an endclient protection, get it ASAP.

And I might add - try to get the OK from your boss for some internal IT training. I guarantee you that most ppl, even those without much knowledge of IT, will love it.

Nothing special and big, just a short one with a good flyer/information sheet about the most common security issues, how to spot a malware, what to look out for, turn on file extensions etc.

[Updated on: Wed, 13 November 2013 11:22]

  •  
mcholdings

Messages: 24
Karma: 0
Send a private message to this user
@maerad - we do use a firewall (Kerio) - just mail doesn't go through it. Everything else does... WE also run very aggressive virus scanning at the PC level, including application control. It's pretty intense to manage - and yet, still some sneak through Sad

Actually, blocking ZIP's has been great for keeping viruses out, it just makes a bunch of people annoyed that we have to open them and forward the contents (as you can only block for whole domain - not have specific rules for different users, or internal vs external). I know my CEO dislikes I have to open his personal investment docs so he can read them.......

Anyhow, not much we can do really, sorry for the whine! I guess I just wish we could turn it on...
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Well, like pavel said, the zip scanning is active in kerio connect by default. I also tried it again and it really is.

I suggest you change the update intervall of the kerio av to 1-2 hours.

And if you do that intense scanning etc. and still something gets thru (and in that case I guess it infects something)...

It's IMHO not a AV Problem anymore. With a good client solution, a firewall that also does a deep packet inspection of downloaded zip/exe/whatever files and the av in kerio connect, it's almost impossible for any virus to get active.

If it still does, it's a problem in the organisation, not the programs. Teach your users what a virus is, how to spot them and what they shouldn't do at any time (like open a zip file and execute a freaking .exe in it).

Oh, besides - if the users don't have admin rights, the viruses in zip files are not a real problem, even without av. Because those can't do anything important without the access rights. Some might use a security breach to infect a system, but without admin rights and actual updates with the above mentioned av systems, it's not possible for a usual user to infect your systems.

[Updated on: Mon, 18 November 2013 23:30]

  •  
Scotty

Messages: 11
Karma: -1
Send a private message to this user
I have to agree with mcholdings
I have Sophos set to update every hour yet virused zip attachments are sailing through the system and getting caught at client end using Eset

To suggest the problem is with clients own security does not negate that Sophos is pretty poor at catching the virused emails attachments and I only got lead to this thread through thinking myself that Sophos was not scanning inside the attachments.
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Honestly ... if you don't believe me, here's the proof.

http://www.heise.de/security/dienste/Mails-mit-Viren-Dummies -777839.html

> EICAR in zip archiv

This site sends an email to your address with a mail attachment including a virus - in my case I wanted the EICAR in a zip archive. Guess there'S also an english version of the site or just translate it with google.

Then I enabled under "debug" in kerio the sophos anti virus protocols - here's the result (deleted my own mailaddy)

Quote:

[20/Nov/2013 15:47:30][6440] {avir} Running antivirus check on mail from <emailcheck-robot@ct.de> to <my.own<_at_>mailadress.de> size 2299 B
[20/Nov/2013 15:47:30][6440] {avir} Client: requesting check for file E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp, mail from <emailcheck-robot@ct.de> to <my.own<_at_>mailadress.de>
[20/Nov/2013 15:47:30][6440] {avir} Checking file E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp for JPEG vulnerabilities
[20/Nov/2013 15:47:30][6440] {avir} Client: waiting for result...
[20/Nov/2013 15:47:30][6812] {avir} (PID: 7188) Sophos_plugin: Scanning file E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp...
[20/Nov/2013 15:47:30][6812] {avir} (PID: 7188) Sophos_plugin: File scanning finished successfully
[20/Nov/2013 15:47:30][6440] {avir} Sophos plug-in scanning avfile.tmp (E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp) - verdict: No Virus found
[20/Nov/2013 15:47:30][6440] {avir} Client: check result: (2) Clean
[20/Nov/2013 15:47:30][6440] {avir} Client: requesting check for file E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp, mail from <emailcheck-robot@ct.de> to <my.own<_at_>mailadress.de>
[20/Nov/2013 15:47:30][6440] {avir} Checking file E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp for JPEG vulnerabilities
[20/Nov/2013 15:47:30][6440] {avir} Client: waiting for result...
[20/Nov/2013 15:47:30][6812] {avir} (PID: 7188) Sophos_plugin: Scanning file E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp...
[20/Nov/2013 15:47:30][6812] {avir} (PID: 7188) Sophos_plugin: File scanning result: EICAR-AV-Test
[20/Nov/2013 15:47:30][6440] {avir} Sophos plug-in scanning eicar.zip (E:\Kerio Connect\MailServer\store/tmp/528ccb80-000003b3/avfile.tmp) - verdict: Virus found
[20/Nov/2013 15:47:30][6440] {avir} Client: check result: (3) EICAR-AV-Test
  •  
Scotty

Messages: 11
Karma: -1
Send a private message to this user
Its not a case of not believing you its a case of Sophos not doing its job
Bang on cue as I posted this reply 2 messages that should have been trapped by Sophos arrive in my inbox to be trapped by local virus scanner. Sophos was last updated 30 minutes ago so is quite clearly not fit for purpose.


Warning, ESET Smart Security found the following threats in the message:

- a variant of Win32/Kryptik.BPEW trojan - contained infected files
> MIME > ~uk78 - a variant of Win32/Kryptik.BPEW trojan - deleted
> MIME > ~uk78 > ZIP > 549876841-IMG58H87.exe - a variant of Win32/Kryptik.BPEW trojan - was a part of the deleted object

Warning, ESET Smart Security found the following threats in the message:

VAT_6957996.zip - a variant of Win32/Kryptik.BMGM trojan - deleted
VAT_6957996.zip > ZIP > VAT_101013.exe - a variant of Win32/Kryptik.BMGM trojan - was a part of the deleted object

  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Yeah, I just wanted to proof that kerio actually scans the zip files and to get rid of that possibility. Of course, if sophos itself is bad, it really doesn't help.

But actually, sophos is quite good (some tests here http://www.av-comparatives.org), so it might be something else.

Since the day we got kerio, our mails with viruses in an attachment went to zero. And we get 2-3 virusmails a day (most get blocked as spam before the av scan even starts). I would suggest you turn on the av filter in the debug log and take a look. Maybe it has problems with opening the zip file on your server, like missing access rights to the folder it tries to extract the data.

Just use the testmail in a zip file you can generate at the above link. It's not a real virus, just an exe file with a line every av has to know for testing purposes.

Also - does your mailserver has his own antivirus solution installed? If so, exclude the Kerio Folder from it and the process. Or better uninstall it. If the real time scanner on the server blocks the access to the file sophos wants to scan, it would explain some things.

Just some ideas if the real culprit isn't something else. If not ... well, then kerio needs to increase the sophos scan engine sensitivity/heuristic.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
The Debug logging on Kerio will go a long way on helping you know what is happening. Turn on the options for AV ans Spam processing and see what is happening when you get a test email with zipped eicar virus. If that works, leave logging on until you get a real virus attachment.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
If you would like to know more information I recommend to upload the attachment to www.virustotal.com website. It shows what AV solutions are able to detect that malware at that moment. Knowing this information helps us to improve the process of AV updates.

Also, Eset has introduced a new product specifically designed for Kerio products. It can be used as a secondary AV solution together with integrated Sophos to improve accuracy of AV scanning. Link: http://www.eset.com/int/business/products/security-for-kerio /
  •  
Scotty

Messages: 11
Karma: -1
Send a private message to this user
I will see if I can get a way to keep the attachments intact but currently Eset neutralises the threat as it comes in.
Sophos is working as I can see it capturing viruses just it is letting an unacceptable percentage through.
We are running Kerio Connect as a service for some of our clients and increasing costs by having to add in yet another scanner will not make financial sense, and as this is a service to external clients we dont see the amount of virused attachments that get through to them and sadly we are seeing the limitations of the built in anti spam and anti virus solution where offering Kerio Connect as a service.
Scotty

Messages: 11
Karma: -1
Send a private message to this user
Ok cant seem to get Sophos to earn its keep - getting literally hundreds of virused emails through, most are .exe files hidden in zip files so I am back to the conclusion Sophos is not checking inside the zip or this is not switched on for some reason?
I also have .exe files blocked in configuration

Example of trapped emails on local machine - these simply should not be getting past Sophos.
Cant figure a way of keeping the virus intact without endangering my own system, all are trapped using Eset

Skype_Voice_Message-AA078FC16E.zip - Suspicious Object - deleted
Skype_Voice_Message-AA078FC16E.zip > ZIP > Skype_Voice_Message_CallerID-4323976457346598236456345916309 586398456134980560394106519083275934659736598246509861324095 816389563297465723659374905863249875639824652398456293746598 3456063249569234650923649562345.wav.exe - Suspicious Object - was a part of the deleted object

- Suspicious Object - contained infected files
> MIME > payment receipt 26-11.zip - Suspicious Object - deleted
> MIME > payment receipt 26-11.zip > ZIP > Payment receipt.exe - Suspicious Object - was a part of the deleted object
Previous Topic: Network interface configuration
Next Topic: Connection to iCal failed
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 09:16:40 CEST 2017

Total time taken to generate the page: 0.00567 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.