store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Oct 01, 2014 10:14 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Thu May 27, 2010 2:59 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
Hi,

I exported a table of data from phpMyAdmin into a zip archive to forward to a client and noticed a few hours later (in the qscan/quarantine.log) that the e-mail was not delivered as the attachment (mysql table archive) contained a reference to fastbrowsersearch.com:
Code:
*** Qmail-Scanner Quarantine Envelope Details Begin ***
X-Qmail-Scanner-Mail-From: "me@mydomain.com" via myserver.com
X-Qmail-Scanner-Rcpt-To: "client@theirdomain.com"
X-Qmail-Scanner: 2.08st (clamdscan: 0.96.1/11086. spamassassin: 3.2.5. perlscan: 2.08st.  virus Found. Processed in 27.156146 secs) process 19325
Quarantine-Description: ASL.MalwareBlacklist.fastbrowsersearch.com.UNOFFICIAL
*** Qmail-Scanner Quarantine Envelope Details End ***

An attempt at FTP upload yielded the same error... Some automated/batch scripts export/archive data and e-mail it to clients/myself. Is there a way around this? I guess it's not strictly a false-positive... Is there a way to report these issues?

Thanks


Top
 Profile  
 
 Post subject: Re: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Thu May 27, 2010 5:53 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 770
Location: Sweden
A zip file with a password is usually a way around scanning...


Top
 Profile  
 
 Post subject: Re: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Thu May 27, 2010 9:47 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
biggles wrote:
A zip file with a password is usually a way around scanning...

Thanks for the suggestion, but export of password protected archives is not a possibility in this case (unless someone knows how to enable this feature in phpMyAdmin?) and I don't really want to re-write the other scripts to password protect files which don't need it... The recipient of the archive doesn't need the hassle of remembering a password either.


Top
 Profile  
 
 Post subject: Re: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Fri May 28, 2010 12:15 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3637
Location: Chantilly, VA
You can report all support issues to:

support@atomicorp.com

No easy way to say when a malicious domain is "safe". The signatures trigger on an actual URL, such as http://www.badsite.com, so its not triggering on something more benign like www.badsite.com, or just badsite.com. There is special logic to detect cases when we *know* its benign, such as in OSSEC reports, certain log files, etc. So if you have a case like that just send the format and we could see about creating an exclusion. Send on the file if you don't mind and we can take a look.

Another option is to create a local clamav exclusion list, which would then allow anything on your system to server up that domain, and would allow anyone to upload anything referencing that domain. Not recommended as the domains we put out are known malware/spyware sites, so that would be opening a pretty big hole in the system.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Fri May 28, 2010 3:26 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 770
Location: Sweden
Kalimari wrote:
biggles wrote:
A zip file with a password is usually a way around scanning...

Thanks for the suggestion, but export of password protected archives is not a possibility in this case (unless someone knows how to enable this feature in phpMyAdmin?) and I don't really want to re-write the other scripts to password protect files which don't need it... The recipient of the archive doesn't need the hassle of remembering a password either.


Sorry, I misunderstood. I thought you manually downloaded the file and e-mailed to the customer. If that would have been the case you could just have added a password and e-mailed it without clamav interfering.


Top
 Profile  
 
 Post subject: Re: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Fri May 28, 2010 5:16 am 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
Mike: Don't want to go down the route of exclusion lists. Most of the batch processes/mailings are related to stats and traffic so there'd be far too many variables to manage anyway.

biggles: No problem, thanks for the suggestion anyway, its probably the best solution. I'll have to research a way of password protecting server archives before mailing. I find phpMyAdmin really useful for quick export of ad-hoc sql queries (some large output files when uncompressed) without resorting to command line. Maybe investigate the possibility of omitting a specific domain or outbound e-mail account from AV scanning (blurgh!) or better still write a script to monitor a local folder and auto archive and password protect whatever gets dropped there.

...sound of sleeves rolling up...


Top
 Profile  
 
 Post subject: Re: ASL Blocking Mail Attachment/FTP Upload
Unread postPosted: Fri May 28, 2010 5:19 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3637
Location: Chantilly, VA
Quote:
Mike: Don't want to go down the route of exclusion lists. Most of the batch processes/mailings are related to stats and traffic so there'd be far too many variables to manage anyway.


I understand complete. If you don't mind sending in the file to support@atomicorp.com we might be able to write logic into the clamav rules to not trigger on this specific case (because it doesnt sounds like its harmful, its just in the file and probably benign). Make sure you put a password on the file though. ;-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group