Messaging Gateway

 View Only

  • 1.  SBG handling of encrypted files and scripts.

    Posted Dec 01, 2010 08:24 PM

    Hi, our client uses SBG 9.0.14. They're using a policy to block files from being sent using the True File Type option from the attachment list. However, they're sending and receiving an encryption that ,when done, converts the document into a self extracting file with .exe extension. And using the True File Type Windows executable/program and .exe wildcard also allows some spam to pass through with an .scr attachment ( .scr for script, not screensaver).

    We've already added the source into the blacklist although this is just a short term solution and would probably stop working when the spam changed to a different source.

    I'm thinking of blocking all attachments and only allowing a specific set of attachments and I need additional input on this. Thanks.



  • 2.  RE: SBG handling of encrypted files and scripts.
    Best Answer

    Posted Dec 14, 2010 10:59 AM

    I'm not sure I understand your question/observation.  If you allow files using true file type than the files come through however if you the domain they don't come through? 

     

    If I understand your issue you need to modify your compliance policy to apply to only specific domains.  An example would be to block all.scr files unless they come from domain.com (where domain.com is your partner company).



  • 3.  RE: SBG handling of encrypted files and scripts.

    Posted Dec 14, 2010 07:59 PM

    Thanks, John_H. Yeah, I will try doing the whitelisting via the compliance policy page.

    My group is concerned about spam sending files with attachments, which should've been blocked. I guess the reporting of our SBG server would later on add them to the global list whenever it sends data to the Symantec Brightmail website.

    In the meantime, we want to setup a policy to block the sending or at least SBG being able to know a script file when it scans one even if the extension is renamed by identifying its true file type. I'm not sure if this is possible since scripts come in many formats, the most simple one being an executable text file. And I'm still looking into other reasons as I can't give an absolute explanation to my peers. :D



  • 4.  RE: SBG handling of encrypted files and scripts.

    Posted Dec 22, 2010 08:24 PM

    I'm not sure what happened but after this post, I did a test and forwarded a similar email into our client's domain. SBG got the .scr file and detected it as malware. I think it's just a new variant. We added the source of the files into the blacklisted domains.

    I forgot how Brightmail works to update the global list, but I guess this is the 1% of the spam that gets through.