News about virus waves
Added almost 3 years ago
Due to a recent virus wave containing infected documents with macros, we deployed a new feature for blocking macros in attachment.
This is currently the best solution we found.
This can be enabled by simply creating this file on each of your nodes and restarting clamav with /usr/mailcleaner/etc/init.d/clamd restart or via Monitoring > Status in admin interface:
Due to a recent virus wave containing infected .docm, .dotm, .wsf and .js (in zip, archive) , we deployed a fix blocking all .docm, .dotm, .wsf and .js both as attachments and archives.
This is currently the best solution we found. This can be disabled by simply deleting a file on each of your nodes :
Our solution against actual (and maybe futures) virus waves seems to work perfectly. More than 3300 SMTP session blocked in less than 3 hours !
All type of previously announced threats should be blocked by this new line of defense.
Use of PDF file as a troyan. This uses an exploit of a PDF reader application, We dont know which one for now. Of course, only the resident AntiVirus and the final users are able to protect the end user machine for now.
We are not planning to massively block PDF files for the moment since this behaviour would be too much of an inconvenience.
Cyren (an optional module) is also able to detect 80% of these troyans.
ClamAV (default MailCleaner mailscanner) and Kapersky detect about 70% of the troyans of the new wave (which is about the current rate for this kind of detection, the other 30% being too polymorph to be able to generate a signature)
Use a zip v2 format to generate errors on tools which dont have the relevant codec
Use of .rar files in mails using a fake .zip MIME type in the mail headers. This causes the use a zip tool on rar files, generating errors
Attackers are using .rar files (to circumvant policies based on .zip files)
Start of a new wave of mails containing troyans viruses (.js files downloading a cryptolocker).
We start our investigations about the techniques used by the attackers.