Emails with infected archive file attachments are bypassing anti-spam filters

Article:TECH137756  |  Created: 2010-08-13  |  Updated: 2014-07-14  |  Article URL http://www.symantec.com/docs/TECH137756
Article Type
Technical Solution

Product(s)

Environment

Issue



Since August 11, 2010 emails with archive file attachments infected with spam and Zbot.Trojan have been bypassing anti-spam filters. Applications performing the filtering do not generate any visible errors.

While Symantec has updated its filter set to capture the attack, there may be cases where the attack slipped through between the time that the updated rules were being pushed out to customers and the time it took to apply those  filters.


Cause



 

 


Solution



Symantec has created updated rulesets for all Brightmail AntiSpam technologies. Please make sure that your environment has the latest ruleset available. 

 

Best Practices 

Symantec recommends updating spam policies to strip the attachments from suspect messages and to delete those messages. This ensures that no infected messages or files bypass the filters.

The following details how to configure these policies for the Brightmail products.
 
Symantec Brightmail AntiSpam 6.0.x and Symantec Brightmail Message Filter 6.x:

Brightmail Control Center (BCC) is installed:
  1. Login to the BCC
  2. Click on Settings->System Settings->Group Policies
  3. Click the name of the Policy to Edit
  4. In the AntiVirus Actions section locate the "If a message contains a virus" selection.
  5. In the drop-down select Delete the message
  6. Click Save
The BCC is not installed:
  1. Login to server where SBAS\SBMF is installed
  2. Edit the bmiconfig.xml
    • for a  Linux/Solaris installation this file is typically located at:   /opt/symantec/sbas/Scanner/etc/bmiconfig.xml
    • for a  Windows installation this file is typically located at:      C:\Program Files\Symantec\SBAS\Scanner\Config\bmiconfig.xml
  3. Locate the following XML node in the file:

    <disposition name='virus'>
            <destination></destination>
    ...
    ...
    ...
    </disposition>
  4. Ensure that the action node is set to delete by updating the node to reflect the following:

    <disposition name='virus'>
            <destination></destination>

    </disposition>
     
  5. Save and close the file.
  6. Restart the SBAS/SBMF Scanner
 
 
Symantec Brightmail Gateway 9.0.x:
 
Verify that the spam / suspected spam rules are configured to delete the message
  1. Login to the Control Center
  2. Click Spam
  3. Click the rule Spam or Suspected Spam: Delete message
  4. Select the group(s) to apply the policy to
  5. Click Save         
 
NOTE: If you need to have different spam / suspected spam rule that will not delete the message , Symantec recommends adding an extra action of Strip Attachments -> Strip All Attachments to the current rule.

Verify that the virus rules are configured to delete the message
 
  1. Login to the Control Center
  2. Click on Virus
  3. Click on the rule -> Virus:Delete message
  4. Select the group(s) you want to apply the policy
  5. Click Save
 
Symantec Mail Security for SMTP 5.x:
 
Verify that the spam / suspected spam rules are configured to delete the message
  1. Login to the Control Center
  2. Click Policies
  3. On the left hand side click Spam
  4. Click the rule Spam or Suspected Spam: Delete message
  5. Select the group(s) to apply the policy to
  6. Click Save
 
Verify that the virus rules are configured to delete the message
 
  1. Login to the Control Center
  2. Click Policies
  3. On the left hand side click  Virus
  4. Click the rule Virus:Delete message
  5. Select the group(s) to apply the policy to
  6. Click Save

 

Additional Information:

More in depth analysis of this this threat is discussed at the following URL:
www.symantec.com/connect/blogs/spam-carrying-malicious-infostealer

 



Legacy ID



2010082510213854


Article URL http://www.symantec.com/docs/TECH137756


Terms of use for this information are found in Legal Notices