Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Scanning Virus in ZIP (Scanning Virus in ZIP)
  •  
pcgrafix

Messages: 15
Karma: 0
Send a private message to this user
Hi,

It seems that the antivirus scanner (or filetype scanner) is not checking a ZIP file.
An attachment(zip) with a file inside .scr was send to the user mailbox.

I thought Kerio was also checking inside a ZIP file.

Thanks

Horemans Tom
PC GRAFIX
  •  
Grabsteinschubser

Messages: 64
Karma: 4
Send a private message to this user
Kerio is checking insinde zip files but sometimes the viruses are newer than the pattern of the antivirus scanner. You can check this at virustotal.com (and if your antivirus vendor can not find any virus you can/should send an example to your antivirus vendor - e.g. Sophos)
  •  
pcgrafix

Messages: 15
Karma: 0
Send a private message to this user
Thanks for your quick reply.
Shouldn't kerio also not check inside the ZIP (with the attachment filter option)

Horemans Tom
PC GRAFIX
  •  
phil_w

Messages: 82
Karma: 1
Send a private message to this user
I've posted my frustration on this very recently. The anti-virus is proving to be pretty useless. The argument seems to always be that a virus coming in is "too new" to be spotted. Desktop Sophos just caught this this one that Connect had missed...

http:// www.sophos.com/en-us/threat-center/threat-analyses/viruses-a nd-spyware/Mal~Generic-S.aspx
  •  
phil_w

Messages: 82
Karma: 1
Send a private message to this user
Think I'm going to have look at a separate gateway before the mailserver. Unfortunately another minus point that helps my CEO's want to move to Hosted Exchange Sad
  •  
pcgrafix

Messages: 15
Karma: 0
Send a private message to this user
I got a reply from SOPHOS:

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

VOICE1311865.scr -- identity created/updated (New detection Troj/Ransom-AMO)
4434929.exe_ADS_AlternateDataS~ -- non-malicious
4434929.exe -- identity created/updated (New detection Troj/Ransom-AMO)
VOICE949-893-4839.zip -- archive file

Horemans Tom
PC GRAFIX
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
"Generic S" infection is a generic response from cloud Sophos Live Protection service. It is not related to virus definitions.
With next Kerio Connect version the integrated Sophos antivirus will also use Sophos Live Protection so the protection will be on par with the desktop version.
  •  
phil_w

Messages: 82
Karma: 1
Send a private message to this user
That's good news Pavel Smile

Are we talking 8.4?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
phil_w wrote on Wed, 15 October 2014 11:07
That's good news Pavel Smile

Are we talking 8.4?


Yes.
  •  
graeme

Messages: 34
Karma: 0
Send a private message to this user
Not that we are affected much or at all since we have a specialist product before Kerio.

A simple way to block a large chunk would be able to filter not virus scan extensions within RAR, ZIP, 7ZIP etc.

If you can block cmd, bat, exe, scr, java etc you can stop a large chunk of mass mail malware.

Any plans to release checking within archives? So many people have mentioned this also.
  •  
Tazho

Messages: 14
Karma: -2
Send a private message to this user
Can this feature be added at some stage. We too are having to quarantine ZIP files until they are manually checked due to them containing unrecognised executables.
  •  
Pavel Špalek (Kerio)

Messages: 287
Karma: 37
Send a private message to this user
Sophos Live Protection implementation in Connect was rescheduled to 8.4.1 to ensure the quality of delivered product. Thank you for understanding.

Pavel Špalek
developer - Kerio Connect
  •  
graeme

Messages: 34
Karma: 0
Send a private message to this user
Forget AV if you can filter by end file ext you can nab most.
Barracuda cloud service has done that for months.
New Sophos will help as direct database lookup.
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
Just to confirm from the first reply of this post -

- Connect does scan inside .zip attachments for Virus? I just had a user open an .exe that inside a zip file and I'm now evaluating where the holes are in my protection - in addition to her desktop AV not being up to date somehow...

- Does Connect scan inside .zip attachments for blocked file types? I have ZIPs allowed - but block .exe's
ComputerBudda

Messages: 110
Karma: 5
Send a private message to this user
I treat all zip attachments like malware, send the original mail to the user w/o the zip attachment. Send the original mail with attachment to a special email address that the administrator has access to. The user knows to go to the administrator if they need the attachment. 90% of attached zip files are an attempt to infect.
Previous Topic: User Rights by using "Another Mailbox"
Next Topic: Webmail server not responding after upgrade to 8.4.0
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Jun 26 22:34:10 CEST 2017

Total time taken to generate the page: 0.00539 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.