On Wed, 2015-02-18 at 06:18 -0700, Tonyata wrote: > Thanks for your feedback, much appreciated > > We do regularly review our AV solution and are generally happy with > what we have in place. The issue was and continues to be that this is > new variant Malware so by the time the AV's catch-up we already have a > number of mails received in the Userbase. > Was kinda hoping for some clever spam rule trickery to combat this > but maybe I should just reset my expectations :) > > But in any case, any further suggestions/comments are gratefully > received.
There are some solutions for re-scanning email which has been delivered (via imap, and possibly direct maildir access) so spam that's not initially in razor/pyzor type services gets caught. You could probably adapt one of those to also run a virus scanner at a later time with updated signatures to catch those, or even put together a quick shellscript to loop through your maildirs with a cli virus scanner (if you use maildir). Of course it won't address users that have read their email already, but certainly would help overall. Another option might be to add a virus scanner to your pop/imap server, so mail is re-scanned before being sent to the client? Jesse > Cheers > Tony > > > ______________________________________________________________________ > Date: Wed, 18 Feb 2015 06:08:30 -0700 > From: [hidden email] > To: [hidden email] > Subject: Re: Recent spate of Malicious VB attachments II > > On 02/18/2015 01:09 PM, Tonyata wrote: > > > Posting again as the original post didn't hit the mailing list - > > > > Hi Guys, > > > > Last week my company received a noticeable increase in emails > containing MS > > office attachments with a Malicious VB script which downloaded > something > > nasty. > > For example Subj - Remittance [Report ID:54400-2187772], > attachments were > > "10 random chars".xls or Subj - PURCHASE ORDER (34663), attachments > > "2600_001".doc > > > > In all cases we receive a couple of thousand emails across the > customer base > > over a couple of hours, sometimes originating from the same sender > (in which > > case I blacklist) but more often differing senders/IP's. > Historically I add > > a rule to pick up on the obvious characteristics - Subj, attachment > name etc > > and because they are pretty short-lived campaigns it's generally > sufficient. > > > > What I'd like to know is - > > > > a) Did any of you see similar? > yes! > > > b) Do you have any suggestions in order to detect this kind of stuff > more > > efficiently and on a more generic basis but without introducing FP > risk? > > Get a decent AV. > > Test samples at https://virustotal.com > > The results will probably help you make a decision as to which AV > product meets your expectations. > > If you don't want to spend on AV the you'll have to look into free > ClamAV signatures : > > http://sanesecurity.com/ and others. -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net
