4 Replies Latest reply: May 1, 2013 2:01 PM by pm_nate RSS

    Trojan zip attachments getting through

    patrick-cusc

      I have everything in the inbound policy set to quarantine inbound zip files, yet they still get through.  Our organization has been receiving inbound messages with zip attahcments that contain a trojan executable.  Is anyone else seeing this?

       

      Thanks!

        • 1. Re: Trojan zip attachments getting through
          Brad McGarr

          Hi Patrick,

           

          That behavior is both troubling and unusual. If you haven't contacted the support team that services your account, I highly encourage you to do so. A few things I would also look for are:

           

          - In the header of the message, if a "Received from _____ by ____" hop is missing a line with a server and ESMTP ID that ends in mxlogic.net, the message bypassed the filter through direct connection.

           

          - Verify the recipient user accounts in the Control Console were not set to exempt them from any level of filtering

           

          - If you have access to Message Audit, check to see if this was released from quarantine by anyone. If you don't directly have this your support team can pull the neccisary details.

           

          Above all though in a case like this contacting your support team is highly recommended so they can fully investigate the issue.

           

          Let me know if you have any questions.

          • 2. Re: Trojan zip attachments getting through
            patrick-cusc

            Brad:

             

            Thanks for the quick response.  After speaking to support, it turns out that the malicious messages were spoofing the domain of a known business partner that had been added to the whitelist.  We have now cleaned out our policy's whitelist and hopefully that should take care of it.

             

            We were not aware that a domain's entry on the whitelist exempted it from scanning.  A warning on that page would be helpful.  Thanks!

            • 3. Re: Trojan zip attachments getting through
              frankm

              This action actually concerns us, if true. In my opinion, regardless of any policy, any message with a known virus should be quarantined or handled per the orgs policy. It was my understanding that all messages are scanned for malicious content and payload.

              • 4. Re: Trojan zip attachments getting through
                pm_nate

                Known viruses are blocked regardless of the sender's allow list membership. This was apparently a 0-hour exploit and the allow list bypasses the attachment policy, which is legacy functonality that should be addressed in a future release.