E-mail filtering service thinks zip file is infected with W32/Bagle virus

5 pts.
Tags:
Application security
backdoors
Current threats
Database
Encryption
Hacking
human factors
Instant Messaging
Microsoft Exchange
Secure Coding
Security
Spyware
Trojans
Viruses
worms
One of our employees is having difficulty receiving e-mails from a vendor. The vendor is zipping up two text files and e-mailing the zip file to us. The Zip file is identified as a virus by our on-line e-mail filtering service and the e-mail is deleted before it hits our mail server. If the vendor sends the two text files without zipping them, they come through fine. The vendor claims that our filtering service must be incorrectly analyzing something in the ZIP file that makes it think it contains a virus. I'm not so sure. I'm wondering about the possibility that a virus (the W32/Bagle.G in particular) can be introduced by the client's zipping program. Maybe the text files are clean, but if the zipping software was infected, the resultant zip file might be infected. I haven't read any evidence of this behavior yet, but I'm looking. We've been using this on-line spam-and-virus filtering service for over a year, and this is the first time I've had a complaint of "false positives". Thanks in advance, David
ASKED: November 1, 2005  12:22 PM
UPDATED: November 3, 2005  10:25 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I have not heard of a contaminated ‘zipping’ program that added a virus during compression. I have had repeated occasions where a ‘filtering’ service declared all ‘zips’ to be viruses, default settings of block .exe .vbs .zip are not uncommon because they are easy. To actually investigate the content of a ‘zip’ file is not easy especially is it is encrypted for security. (You did not say why the text files were zipped in the first place.)

Are you receiving ‘sip’ files from anybody else?

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • DKoch67
    Howard2nd, They were zipping the files to group them into one attachment. Size was not the problem here. This is a situation where the vendor sends out updates on a frequent basis and the number of text files is not constant. David
    5 pointsBadges:
    report
  • Sonyfreek
    Does the message you get when you receive the email state that it was blocked due to an infection of the W32/Bagle.G Virus? We typically configure our virus protection to block *.zip files that are encrypted with a password or that cannot be opened by the virus scanner, but some admins block anything by the extension, such as *.zip files. It's typically easy to get around by renaming the .zip file to .txt. Tell the user to change it to .zip when saving it to the disk and it'll open up fine. Try that and see if you are successful. More than likely, it will work. SF
    0 pointsBadges:
    report
  • Layer9
    I'm curious what your AV Gateway appliance or software is. I have seen this error with several common AV gateway systems where .zip or .txt extensions, or both were filtered by default. Do you have administrative control over this gateway? Can you confirm that these file extensions are not blocked anywhere on the system? Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Mlandes
    hi, try looking at the following: a. zip protected by password ? b. the file names are identical to the common beagle characteristics such as subject or filenames or extensions or message body words etc etc. thanks moti
    0 pointsBadges:
    report
  • petkoa
    Hi, zip-replacing worm isn't something unthinkable, but I did't hear any reports about something like this. If your scanner is so specific about W32/Bagle.G I'll not suppose problems with encrypted zip or too general rules, but about coincidental generation by the zipper of some bites resembling the Bagle.G signature of the AV product. BR, Petko
    3,120 pointsBadges:
    report
  • DKoch67
    Our filtering service responded to my support call and thinks it's a false positive. Thanks for all your ideas and comments. David
    5 pointsBadges:
    report
  • Sonyfreek
    If I were you, I'd still try changing the .zip extension to something innoculous, like .txt to test out the intelligence of the AV gateway. If it doesn't verify it's file format, then it probably should be upgraded to something more secure, although you might not be able to convince the admin to do that. SF
    0 pointsBadges:
    report
  • Pineappleman
    I would agree with your vendors claims. You should check with the filtering service to see how to avoid a "false" positive, if it could be done without compromising a procedure or algorithm used to decipher.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following