Emails with infected archive file attachments are bypassing anti-spam filters

Article:TECH137756

Created: 2010-08-13

Updated: 2010-08-27

Article URL http://www.symantec.com/docs/TECH137756

Article Type
Technical Solution

Product(s)

Show all

Environment

Show all

Languages

Show all

Problem

Since August 11, 2010 emails with archive file attachments infected with spam and Zbot.Trojan have been bypassing anti-spam filters. Applications performing the filtering do not generate any visible errors.

While Symantec has updated its filter set to capture the attack, there may be cases where the attack slipped through between the time that the updated rules were being pushed out to customers and the time it took to apply those filters.

Cause

Solution

Symantec has created updated rulesets for all Brightmail AntiSpam technologies. Please make sure that your environment has the latest ruleset available.

Best Practices

Symantec recommends updating spam policies to strip the attachments from suspect messages and to delete those messages. This ensures that no infected messages or files bypass the filters.

The following details how to configure these policies for the Brightmail products.

Symantec Brightmail AntiSpam 6.0.x and Symantec Brightmail Message Filter 6.x:

Brightmail Control Center (BCC) is installed:

Login to the BCC
Click on Settings->System Settings->Group Policies
Click the name of the Policy to Edit
In the AntiVirus Actions section locate the "If a message contains a virus" selection.
In the drop-down select Delete the message
Click Save

The BCC is not installed:

Login to server where SBAS\SBMF is installed
Edit the bmiconfig.xml
- for a Linux/Solaris installation this file is typically located at: /opt/symantec/sbas/Scanner/etc/bmiconfig.xml
- for a Windows installation this file is typically located at: C:\Program Files\Symantec\SBAS\Scanner\Config\bmiconfig.xml
Locate the following XML node in the file:

<disposition name='virus'>
<destination></destination>
...
...
...
</disposition>
Ensure that the action node is set to delete by updating the node to reflect the following:

<disposition name='virus'>
<destination></destination>

</disposition>
Save and close the file.
Restart the SBAS/SBMF Scanner

Symantec Brightmail Gateway 9.0.x:

Verify that the spam / suspected spam rules are configured to delete the message

Login to the Control Center
Click Spam
Click the rule Spam or Suspected Spam: Delete message
Select the group(s) to apply the policy to
Click Save

NOTE: If you need to have different spam / suspected spam rule that will not delete the message , Symantec recommends adding an extra action of Strip Attachments -> Strip All Attachments to the current rule.

Verify that the virus rules are configured to delete the message

Login to the Control Center
Click on Virus
Click on the rule -> Virus:Delete message
Select the group(s) you want to apply the policy
Click Save

Symantec Mail Security for SMTP 5.x:

Verify that the spam / suspected spam rules are configured to delete the message

Login to the Control Center
Click Policies
On the left hand side click Spam
Click the rule Spam or Suspected Spam: Delete message
Select the group(s) to apply the policy to
Click Save

Verify that the virus rules are configured to delete the message

Login to the Control Center
Click Policies
On the left hand side click Virus
Click the rule Virus:Delete message
Select the group(s) to apply the policy to
Click Save

Additional Information:

More in depth analysis of this this threat is discussed at the following URL:
www.symantec.com/connect/blogs/spam-carrying-malicious-infostealer

Legacy ID

2010082510213854

Article URL http://www.symantec.com/docs/TECH137756

Emails with infected archive file attachments are bypassing anti-spam filters

Problem

Cause

Solution

Additional Information:

Legacy ID

Please Sign In

Knowledge Base Search

Knowledge Base Search

MySymantec

MySymantec

Contacting Support

Contacting Support