E-mail filtering service thinks zip file is infected with W32/Bagle virus
Application security, backdoors, Current threats, Database, Encryption, Exchange, Hacking, human factors, Instant Messaging, Secure Coding, Security, Spyware, Trojans, Viruses, worms
One of our employees is having difficulty receiving e-mails from a vendor. The vendor is zipping up two text files and e-mailing the zip file to us. The Zip file is identified as a virus by our on-line e-mail filtering service and the e-mail is deleted before it hits our mail server. If the vendor sends the two text files without zipping them, they come through fine.
The vendor claims that our filtering service must be incorrectly analyzing something in the ZIP file that makes it think it contains a virus. I'm not so sure. I'm wondering about the possibility that a virus (the W32/Bagle.G in particular) can be introduced by the client's zipping program. Maybe the text files are clean, but if the zipping software was infected, the resultant zip file might be infected.
I haven't read any evidence of this behavior yet, but I'm looking. We've been using this on-line spam-and-virus filtering service for over a year, and this is the first time I've had a complaint of "false positives".
Thanks in advance,
David
Software/Hardware used:
Software/Hardware used:
ASKED:
November 1, 2005 12:22 PM
UPDATED:
November 3, 2005 10:25 AM
Answer Wiki:
I have not heard of a contaminated 'zipping' program that added a virus during compression. I have had repeated occasions where a 'filtering' service declared all 'zips' to be viruses, default settings of block .exe .vbs .zip are not uncommon because they are easy. To actually investigate the content of a 'zip' file is not easy especially is it is encrypted for security. (You did not say why the text files were zipped in the first place.)
Are you receiving 'sip' files from anybody else?
To see all answers submitted to the Answer Wiki: View Answer History.
Howard2nd,
They were zipping the files to group them into one attachment. Size was not the problem here. This is a situation where the vendor sends out updates on a frequent basis and the number of text files is not constant.
David
Does the message you get when you receive the email state that it was blocked due to an infection of the W32/Bagle.G Virus? We typically configure our virus protection to block *.zip files that are encrypted with a password or that cannot be opened by the virus scanner, but some admins block anything by the extension, such as *.zip files. It’s typically easy to get around by renaming the .zip file to .txt. Tell the user to change it to .zip when saving it to the disk and it’ll open up fine. Try that and see if you are successful. More than likely, it will work.
SF
I’m curious what your AV Gateway appliance or software is.
I have seen this error with several common AV gateway systems where .zip or .txt extensions, or both were filtered by default.
Do you have administrative control over this gateway? Can you confirm that these file extensions are not blocked anywhere on the system?
Chris Weber
Layer9corp.com
hi,
try looking at the following:
a. zip protected by password ?
b. the file names are identical to the common beagle characteristics such as subject or filenames or extensions or message body words etc etc.
thanks
moti
Hi,
zip-replacing worm isn’t something unthinkable, but I did’t hear any reports about something like this.
If your scanner is so specific about W32/Bagle.G I’ll not suppose problems with encrypted zip or too general rules, but about coincidental generation by the zipper of some bites resembling the Bagle.G signature of the AV product.
BR,
Petko
Our filtering service responded to my support call and thinks it’s a false positive. Thanks for all your ideas and comments.
David
If I were you, I’d still try changing the .zip extension to something innoculous, like .txt to test out the intelligence of the AV gateway. If it doesn’t verify it’s file format, then it probably should be upgraded to something more secure, although you might not be able to convince the admin to do that.
SF
I would agree with your vendors claims.
You should check with the filtering service to see how to avoid a “false” positive, if it could be done without compromising a procedure or algorithm used to decipher.