How do I deal with unscannable virus files?

Issue

How do I deal with unscannable virus files?

Solution

In general, Sophos can not scan password-protected or encrypted attachments to email messages.

Virus developers have launched a new type of attack to take advantage of the inherent limitation of email virus scanners. For example, an email message comes with an attached zip file that is password-protected. The zip file contains the virus payload. In the text of the email message the recipient finds some pretext about a problem that requires them to open the attachment. The password required to open the attachment is included. When the user extracts the file from the attachment, the virus is delivered.

As of March 4, 2004 at 14:26 GMT, Sophos released an IDE file called

W32/Bagle-Zip, that catches four of the current viruses of this type:

• W32/Bagle-H
• W32/Bagle-I
• W32/Bagle-J
• W32/Bagle-K

This IDE catches the virus by identifying the attached zip file as characteristic of one of those particular viruses. While this provides protection for the immediate threat, there are several things that you can do to harden your defenses against future permutations of this type of virus attack.

When Sophos is unable to scan a password-protected or encrypted zip file, it puts a prominent warning in the email message that the end user receives. This warning notifies the user that Sophos was unable to completely scan this message for possible virus threats. For example:

WARNING!!! (from <your.mail.server.name>)

The following message attachments were flagged by the antivirus scanner:

Attachment [2.4] TextDocument.zip, scan failed: File encrypted.

Action taken: incomplete scan

________________

There are three ways to deal with this type of virus attack:

• User education
• Message filtering
• Desktop virus scanning software

A combination of all three provides the best possible defense. Each of these options is explained in the following section.

User Education

Make sure your users know the meaning of this Sophos warning and train them not to open the attachment.

Message Filtering

When creating filters, you have two options:

Option 1

Reject, discard, or reroute any message for which the Sophos scan failed. When a scan failure occurs, a header similar to this one is added to the message:

X-Mirapoint-Virus-ScanFailure: SCANFAILURE;

host=cs4.cs.mirapoint.com;

attachment=[2.2];

virus=File encrypted

You can add a domain filter to look for this header and discard, reject, or reroute the message as you wish. You can not add such a filter using the user interface; it must be done on the command line. For example, to create a filter that looks for messages with an x-mirapoint-virus-scanfailure header containing the phrase "SCANFAILED," that also has an attachment with a name containing "zip," and to have that filter discard any message that matches all of these conditions, enter the following:

CLI> Filter Add "(domain=any)" test Discard "" Allof Stop

Enter filter rules, finish with '.' on a line by itself:

x-mirapoint-virus-scanfailure Contains "SCANFAILURE"

:attachmentfilename Contains "zip"

.

OK Completed

Where test is the name you give this filter.

Option 2

Strip suspicious attachments regardless of the Sophos scan success or failure.

To add a filter for this, enter the following:

CLI> Filter Add "(domain=any)" test Keep "(removeattachments=yes)" Allof Stop

Enter filter rules, finish with '.' on a line by itself:

:attachmentfilename Contains "zip"

.

OK Completed

After applying this filter, any attachment with a filename that contains the string "zip" is stripped off of the message. A notification is added at the top of the message, indicating that an attachment has been removed. For example, the notification might look like this (with the name of the actual attachment that was deleted):

A message filter removed the following attachment(s) from this message: virus.zip

Desktop Virus Scanning Software

If all other efforts fail and the user opens a zip file containing a virus, a desktop antivirus scanner should catch the virus before it can do any harm.