Author Topic: Netsky.P not detected at Exchange  (Read 10163 times)

0 Members and 1 Guest are viewing this topic.

ratzmilk

  • Guest
Netsky.P not detected at Exchange
« on: June 29, 2004, 07:05:14 AM »
I am trying out a few Exchange anti virus products to replace our Trend Micro antivirus for Exchange.

I have installed Avast and discovered it suffers from the same problem that GFI did, that it can't scan for the Netsky.P virus inside the password protected zip files that the virus creates to email itself around.

The infected zip files are being picked up by Nortons on the desktop which doesn't seem to have any problems scanning the zip files.

One other product I've tried had the option to delete password protected zip files, but this product doesn't give you that option.  Defeating the password protection on zip files is not hard and some antivirus programs do, namely Nortons and Trend that I personally know do from experience.

With Avast, I have it set to notify me for untestable email, but it does not do this in the case of infected password protected zip files, it just passes them through complete with the virul payload.

Any suggestions (other than going back to Trend)?

I don't want to block all zip files, we git way to many legitimate zip files to do that.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Netsky.P not detected at Exchange
« Reply #1 on: June 29, 2004, 07:28:07 AM »
Actually avast is expected to pick up these.
Maybe the sample your trying is somehow corrupted (?)

Can you send it to my email address?


BTW with the exception of Kaspersky, no AV can detect infections the password-protected ZIP files as such. However, since the virus-generated ZIP files have some special characteristics they can be quite easily (heuristically) picked up by the AV... This may change in the near future, as the virus authors realize this, though...


Vlk
If at first you don't succeed, then skydiving's not for you.

ratzmilk

  • Guest
Re:Netsky.P not detected at Exchange
« Reply #2 on: June 29, 2004, 08:13:53 AM »
Dont have a sample I can send you as Nortons cleans them once they hit the desktop.  That's why I always recommend that people should use different antivirus products for email servers and the desktops for just this sort of thing.

Plus, I wouldn't want to try and catch an infected email and send it back out again, not with Outlook/Exchange.  We are a work environment and not a test lab.

What I can do though is post the header of the infected email.  You can see where Avast tagged the header as clean.

Microsoft Mail Internet Headers Version 2.0
X-Antivirus-Status: Clean
thread-index: AcRc+kHZ04ToYA1dTyi5iSjcfiaIwA==
X-Antivirus: avast! 4 for MS SMTP Server 2000
Received: from itsagirlthing.com.au ([144.137.212.134]) by mail.stefan.com.au with Microsoft SMTPSVC(5.0.2195.6713); Mon, 28 Jun 2004 20:25:35 +1000
From: <dinewithstyle@hotmail.com>
Content-Transfer-Encoding: 7bit
To: <webmaster@itsagirlthing.com.au>
Subject: Re: Hi
Importance: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Content-Class: urn:content-classes:message
Date: Mon, 28 Jun 2004 19:55:48 +0930
Priority: normal
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <dinewithstyle@hotmail.com>
Message-ID: <MAILs0i8rxT9ru2m2uN000000dc@mail.stefan.com.au>
X-OriginalArrivalTime: 28 Jun 2004 10:25:35.0752 (UTC) FILETIME=[3FF07880:01C45CFA]

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
   charset="Windows-1252"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
   name="letter32.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
   filename="letter32.zip"

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11815
    • AVAST Software
Re:Netsky.P not detected at Exchange
« Reply #3 on: June 29, 2004, 09:43:16 AM »
I have installed Avast and discovered it suffers from the same problem that GFI did, that it can't scan for the Netsky.P virus inside the password protected zip files that the virus creates to email itself around.

The infected zip files are being picked up by Nortons on the desktop which doesn't seem to have any problems scanning the zip files.

As the files as password-protected, they are not possible to be scanned - that's why they are password protected, right? ;D  You may try to bruteforce the password, but that will work only until the virus writers realize that 4 digits password is simply too short - and I guess you'd rather avoid scanning one single file for 1000 years... So, the antivirus programs use only some kind of heuristics (e.g. "password protected zip file with a single file inside the archive, having .exe or .src extension, within a certain range of sizes", etc.).

Quote
One other product I've tried had the option to delete password protected zip files, but this product doesn't give you that option.  Defeating the password protection on zip files is not hard and some antivirus programs do, namely Nortons and Trend that I personally know do from experience.

I don't think it's nice to delete all password-protected archives; there are certainly good reasons to send such a file. So, the heuristics mentioned above should be tuned to provide reasonable protection without much false alarms. But of course, it's will never be 100%.

Quote
With Avast, I have it set to notify me for untestable email, but it does not do this in the case of infected password protected zip files, it just passes them through complete with the virul payload.
...
That's why I always recommend that people should use different antivirus products for email servers and the desktops for just this sort of thing.

Even though this recommendation may have a reason, it's void in this case. The desktop protection would detect the virus as soon as it's unpacked from the archive and block it; the zip archive itself is harmless, of course.

Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Netsky.P not detected at Exchange
« Reply #4 on: June 30, 2004, 03:30:03 AM »
Quote
BTW with the exception of Kaspersky, no AV can detect infections the password-protected ZIP files as such.
How can Kaspersky find it if no other AV can?  ???
"People who are really serious about software should make their own hardware." - Alan Kay

ratzmilk

  • Guest
Re:Netsky.P not detected at Exchange
« Reply #5 on: June 30, 2004, 03:49:18 AM »
Quote

BTW with the exception of Kaspersky, no AV can detect infections the password-protected ZIP files as such.
Vlk

Trend Micro for Exchange certainly did.  Nortons (Enterprise ver 8.6) anti-virus was able to detect the virus in Outlook without the zip file being unziped or the password used.  

Prior to trying Avast, I tried GFI which uses the Kaspersky engine, and it was unable to scan password protected zip files.  Which is why I rejected GFI and am now trying Avast, which I will also now be rejecting because of this weekness.

Who knows, it may turn out that Trend Micro is the only Exchange based anit-virus that can scan inside protected zip files, therefor it is the only anti virus that can give true protection.

ratzmilk

  • Guest
Re:Netsky.P not detected at Exchange
« Reply #6 on: June 30, 2004, 07:56:56 AM »
Today, Avast has passed as clean an email infected with W32.Erkez.B@mm that arrived in a .pif file.

The virus was picked up at the desktop by Nortons.

Not being able to scan inside password protected files is one thing, missing this though is pretty bad.

Looks like that will be the end of my Avast trial.  On to the next one now.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Netsky.P not detected at Exchange
« Reply #7 on: June 30, 2004, 08:20:01 AM »
Quote
Trend Micro for Exchange certainly did.  Nortons (Enterprise ver 8.6) anti-virus was able to detect the virus in Outlook without the zip file being unziped or the password used.  


That's what I was saying. Generally, there's NO way to do this. Kaspersky (this doesn't necessarily have to apply to GFI) is the only engine that seriously attempts to deal with the problem but in the long haul it has no chance to succeed (it's more or less like trying to scan an encrypted channel without knowing the key). If you have access to the Virus Bulletin magazine, I'd strongly recommend reading the "Password-protected viruses" article in the May 2004 issue. It provides extensive information on this subject.

Quote
Today, Avast has passed as clean an email infected with W32.Erkez.B@mm that arrived in a .pif file.

The virus was picked up at the desktop by Nortons.

Missed Zafi.B? That'd be really surprising (it's on of the most common viruses nowadays). It must've been a damaged sample (a truncated email etc. -- this is actually quite normal). Then some AV's start the alarn, some do not, depending on the structure of their signatures...

Quote
Looks like that will be the end of my Avast trial.  On to the next one now.


Good luck. :)
« Last Edit: June 30, 2004, 08:20:47 AM by Vlk »
If at first you don't succeed, then skydiving's not for you.