News about virus waves

MailCleaner Support
Added almost 3 years ago

2016/10/29 11:00:00
Due to a recent virus wave containing infected documents with macros, we deployed a new feature for blocking macros in attachment.
This is currently the best solution we found.
This can be enabled by simply creating this file on each of your nodes and restarting clamav with /usr/mailcleaner/etc/init.d/clamd restart or via Monitoring > Status in admin interface:

touch /var/mailcleaner/spool/mailcleaner/mc-experimental-macros

2016/05/26 11:00:00
Due to a recent virus wave containing infected .docm, .dotm, .wsf and .js (in zip, archive) , we deployed a fix blocking all .docm, .dotm, .wsf and .js both as attachments and archives.
This is currently the best solution we found. This can be disabled by simply deleting a file on each of your nodes :

rm /var/mailcleaner/spool/mailcleaner/mc-experimental-docm
rm /var/mailcleaner/spool/mailcleaner/mc-experimental-jsinzip
rm /var/mailcleaner/spool/mailcleaner/mc-experimental-wsf

2016/04/01 17:00:00
Our solution against actual (and maybe futures) virus waves seems to work perfectly. More than 3300 SMTP session blocked in less than 3 hours !

Scripts (Javascripts for now) are now forbidden in archives on the MailCleaner Cloud for obvious security reasons. If you need to send this type of document (why would you ? OK maybe...), please use link to dropbox, google drive or anything else.

All type of previously announced threats should be blocked by this new line of defense.

2016/04/01 08:00:00
Use of PDF file as a troyan. This uses an exploit of a PDF reader application, We dont know which one for now. Of course, only the resident AntiVirus and the final users are able to protect the end user machine for now.
We are not planning to massively block PDF files for the moment since this behaviour would be too much of an inconvenience.

2016/04/01 xx:00:00
Cyren (an optional module) is also able to detect 80% of these troyans.

2016/03/31 xx:00:00
ClamAV (default MailCleaner mailscanner) and Kapersky detect about 70% of the troyans of the new wave (which is about the current rate for this kind of detection, the other 30% being too polymorph to be able to generate a signature)

2016/03/30 16:00:00
Use a zip v2 format to generate errors on tools which dont have the relevant codec

2016/03/30 14:00:00
Use of .rar files in mails using a fake .zip MIME type in the mail headers. This causes the use a zip tool on rar files, generating errors

2016/03/30 09:00:00
Attackers are using .rar files (to circumvant policies based on .zip files)

Start of a new wave of mails containing troyans viruses (.js files downloading a cryptolocker).
We start our investigations about the techniques used by the attackers.