Endpoint Protection

Hello,

I just wanted to check if there is possibly a configuration issue somewhere, or if my understanding of how the e-mail scanning in SEP works.

I have a client running SEP 12.1.4023.4080 with latest definitions from LiveUpdate.  E-mails are downloaded by POP3.

One of the users got infected with CryptoWall about a month back and the Symantec client did not detect it in the attachment.  Fair enough, it may have been a new variant.

The client continues to get suspicious attachments, usually a "Fax" or and "Order", with an attachmed Zip file, very much like the one that was opened a month previous.

I have confirmed that mail protection is enabled in SEP, but these attachments still appear in the users' e-mails.  I would think SEP would quarantine them?

If you could let me know if I maybe misunderstand how the mail protection works?

The emails would still come in, however, when the user tried to open, it should scan the file.

For Internet email scanning of the messages that use the POP3 or SMTP protocols, Auto-Protect scans the following items:

• The body of the message
• Any attachments to the message

When you open a message with an attachment, the attachment is immediately downloaded to your computer and scanned when the following statements are true:

http://www.symantec.com/docs/TECH95093

Hello,

Internet Email Auto-Protect protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included.

For Internet email scanning of the messages that use the POP3 or SMTP protocols, Auto-Protect scans the following items:

• The body of the message
• Any attachments to the message

See the following:

About Auto-Protect and email scanning

https://support.symantec.com/en_US/article.TECH95093.html

You may want to consider Mail Security for Microsoft Exchange.

You can enable Auto-Protect to support the handling of encrypted email over POP3 and SMTP connections. Auto-Protect detects the secure connections and does not scan the encrypted messages. Even if Internet Email Auto-Protect does not scan encrypted messages, it continues to protect computers from viruses and security risks in attachments.

Email attachments are frequently the culprits in virus attacks. To protect yourself from viruses transmitted through email attachments:

• Don't open any attachment you were not expecting, even if it comes from a trusted source, such as a family member, co-worker, or friend.
• If you do not know the sender of a message that includes an attachment, delete the message without reading it.
• Do not open any attached file ending in .exe, .vbs, or .lnk.
• Never open an attachment without verifying that it's virus free. To open an attachment, first save it to your hard drive and then scan it with antivirus software, such as Symantec Endpoint Protection.

Regards,

Hi,

Thank you for posting in Symantec community.

Can you configure a gateway to block incoming .zip files and .scr extensions but exlude your domain. If feasible this can be a workaround to keep away virus attachments.

This can be a good example: http://www-10.lotus.com/ldd/nd6forum.nsf/e5f5333619f2996885256a220009508f/4e8051d45200d5c885256e4d006f0ada?OpenDocument

I think you can do through GPO as well.

Also, the key to dealing with crypto-type malware is prevention and planning. While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.

Preventive Measures

• Do not follow unsolicited web links in email messages or submit any information to webpages in links.
• Use caution when opening email attachments.
• Keep operating systems and software, including anti-virus, up-to-date with the latest patches.
• Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack.

Please do locate the file which cased the damage and submit it to Security Response for analysis.  It will most likely be a .scr or .exe in %TEMP%.  If you have opened any suspicious mail attachments lately, please submit that file.  This will not help you recover your files, but it will prevent future admins from suffering the same grief.

Symantec Insider Tip: Successful Submissions!

https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

 If want to know how SEP handles email attachment, check this article:

About SEP Auto-Protect and email scanning

http://www.symantec.com/docs/TECH95093

Is there any update?

OR

If query has been resolved mark this thread as a 'Solved' with the best answer that helps you.