Virus checker that removes zipped exe files from e-mail attachments

vbimport

#1

With the large number of fake delivery and invoice e-mails going around with a zipped exe file as their attached “document”, I am very surprised that both AVG and Avast don’t have a setting to automatically quarantine zipped attachments in e-mails that have application files inside. The vast majority of these infections are not detected by AVG and while Avast seems to detect more, it still misses the odd ones.

Going by the VirusTotal website with various random ones I scanned, most only show up as Malware by 2 or 3 scanners, particularly if I scan one right after receiving the e-mail. This is not really surprising since most infections are mass-spammed the moment the virus is written to reach recipients before the Antivirus companies get a chance to update their definitions.

From a quick check at the AVG business version on my PC at work, it does have an option to remove executable files, but this only applies to executable files on their own, not in any type of archive:

To give an example, I sent myself an e-mail with a zipped exe file (in this case the Autoruns utility) and it had no problem getting through as well as me running the application:

The same applied on my home PC running Avast Internet Security and I couldn’t find any option within Avast’s settings to block archived executable files.

As there are a wide range of anti-virus products on the market, does anyone know or use a virus checker that offers this ability?


#2

I think most of them scan the files within the zip and report of there are any problems rather than deleting the file.

At least I know Norton AV works that way.

There may be some you can configure like this but it’s not something I’ve ever tried TBH.

[B]Wombler[/B]


#3

My beloved Outpost Security Suite Pro can do that…:bigsmile:
Settings–>antimalware–>mail scanner–>“general–>scan archives” and “attachement filter”,where you can set the options,and even add your own (archive) extensions too…:bow::bow::clap:

But I see that you can specify filetypes manuallly too @ your AVG advanced settings…no archive extensions???:eek:


#4

I can specify archive extensions in AVG, but I don’t want to block ZIP files altogether, just archives which contain executable files inside, since I regularly receive legitimate e-mails with Zip files of multiple images, such as artwork images.

Since AVG has no problem disinfecting known infections in ZIP attachments (which I’ve seen it do), I don’t see why it can’t do a blanket block on all executable files in ZIP attachments like Gmail does.

According to the documentation, the “Remove all executable files” blocks COM, DRV, EXE, SCR, SYS,… (and about 20 other extensions), but only if they’re on their own. If they’re in a ZIP file, then AVG ignores them as my screenshot above shows.

I’ll give that Outpost Security Suite Pro a test run on my spare desktop PC for curiosity, thanks for the suggestion. :wink:


#5

I’ve given Outpost Security Suite Pro a try, but it looks like it has this problem also. :doh:

On the ‘General’ tab in Mail Scanner, I’ve ticked “Scan archives” and in the ‘Attachment Filter’ Tab I selected the rename option ensured ‘EXE’ was ticked below. I then resent the zipped EXE file from my other personal e-mail account. The e-mail came in Outlook and I had no problem opening the Zip attachment and launching the Autoruns EXE file inside. On the other hand, Outpost has a very strict Firewall - I had to enable NetBIOS to access network drives.

It does make wonder if Anti-virus companies intentionally leave out this option - Maybe it would be “too effective”, e.g. why offer e-mail protection if simply quarantining all Zip attachments with exe files inside could block >90% of infected attachments?

I tried contacting AVG business support about this last week (used my workplace’s license #), but never received a response.


#6

[QUOTE=Seán;2705393] The e-mail came in Outlook and I had no problem opening the Zip attachment and launching the Autoruns EXE file inside.[/QUOTE]

Did you put a checkmark for the .zip extension in the attachment filter list?
Normally,Outpost adds the *.amw extension ,and you are explicitly asked by a warning window if you really want to rename it before you can open the .zip…on my system anyway…:slight_smile:


#7

I use an old stand alone e-mail program called Eudora (yeah the old one by Qualcomm) it allows me to preview my mail without actually opening anything

In settings it deletes any and all attachments when the e-mail item is put in the trash bin.

So for me the simple solution is not opening mail with my browser which is an exercise in “inherent vulnerability”.


#8

With the recent havoc caused by the new nasty Malware Cryptolocker, a computer technician which runs FoolishIT has noticed this problem in that Antivirus products are simply not doing enough to stop booby trapped ZIP attachments and has decided to do something about it by creating CryptoPrevent.

While this utility has been designed to prevent one getting infected by Cryptolocker, it also has the ability to stop the vast majority of Malware from being able to infect a PC, even if the booby trapped ZIP file has already been extracted. The way it works is that it prevents Malware from being able to hide itself into various hidden directories a normal non-Admin user has write access to, such as the Appdata paths and recycle bin.

In its ‘Maximum protection’ mode, it prevents executables (including .SCR, .COM and .PIF extensions) from launching inside a ZIP file, whether attached or downloaded.

As a test, I sent myself two e-mails - One with ‘Autoruns.exe’ inside a ZIP file and the other with a modified ‘Robocopy.exe’ to simulate an infected legitimate application. With the Robocopy executable, I used a binary file editor to change the word ‘Files’ to ‘files’ where I came across some plain text inside. This should trigger any Antivirus product that does checksum (e.g. SHA1) tests against a whiltelist, like IE10’s SmartScreen technology.

One PC with Windows 7 has Avast Internet Security 2014 and the other PC with Windows 8.1 is running AVG Business Edition 2013. After a minute, I received both e-mails in my Inbox on the two PCs and neither virus checker reported anything unusual.

Before using CryptoProtect, I tried opening the ZIP file and launching the EXE file inside. On my Windows 7 PC with Avast, I had no problem launching both executable files. On my Windows 8 PC with AVG, the Autoruns file launched (as shown earlier in the first post above), but the modified Robocopy.exe file threw up Windows 8 Smart Screen warning:

To start with, it looks like Windows 8 already does a pretty good job at blocking dodgy executable files, at least this slightly modified file anyway.

I then gave the free portable version of CryptoProtect a try with its Maximum setting on both PCs, which is where I tick the following field to block temporarily extracted executable files:

I rebooted both PCs and everything seemed fine, so I then tried opening the two e-mails I sent myself and launching the executable file inside. Not this time: :disagree:

So far the only problem I have run into is that some self-extracting software will not launch, giving a group policy warning. The following example is when I tried running the AVG setup file:

For an advanced user, i.e. one who knows not to open executable files they find in Zip attachments claiming to be from DHL, Amazon, etc. the “Block temporarily extracted files” setting can remain unchecked, but for the novice PC users, especially those who regularly call for help to install new software, updates, etc. anyway, this setting should remain checked.

Should this group policy issue occur with a legitimate installer, it’s just a matter of launching CryptoProtect and unchecking that setting, then installing the affected software and finally running CryptoProtect again to re-enable the setting. This takes just several seconds and no more hassle than unlocking a boiler room door to let a plumber service it.

So far I haven’t actually tried CryptoLocker with actual Malware infections, but you can see a video of it in action against the Cryptolocker virus in this thread.

Ideally, I would still like to see the Antivirus product makers implement the missing mail scanner option, i.e. Quarantine all archive (ZIP, RAR, etc) attachments that contain any executable file.






#9

[QUOTE=Seán;2708484]…Foolish IT has noticed this problem in that Antivirus products are simply not doing enough…[/QUOTE]
I was searching Kazpersky’s website for “CryptoLocker” and was told this keyword had Zero results.

I am going to search the other popular vendors’ support sites and see what kind of acknowledgement they give.

It’s pretty disheartening - I’m not a fan of K’s but some neighbors use it.


#10

[QUOTE=ChristineBCW;2708489]I was searching Kazpersky’s website for “CryptoLocker” and was told this keyword had Zero results.

I am going to search the other popular vendors’ support sites and see what kind of acknowledgement they give.

It’s pretty disheartening - I’m not a fan of K’s but some neighbors use it.[/QUOTE]

Kaspersky labels it under different aliases.

You’ll find further details here.

[B]Wombler[/B]


#11

Wombler, thanks for that.

Here’s the original basis for my shock/displeasure - the simple search from the USA.KASPERSKY home-page search field=cryptolocker.
Your link shows that at least someone had good success somewhere two weeks ago (end of Oct) using K’s good rescue CDs.

But it’s distressing that I couldn’t find this forum from that main USA.K website. And when the main website has Zero Results on this very harmful virus, Kaspersky seems to be giving Zero Acknowledgement to its existence - or else its ability to deal with it.

If I was looking for a new AV program, I’d do a similar search and would immediately ‘scratch’ any product that failed to give a Search result on their main page.

So I understand why Foolish-IT used that “not doing enough” comment.


#12

I was playing with HitManPro which offers a Free Scan Only. Except I had to download their software and run the Installation Package, carefully reading to choose between “Install” (the button to install their commercial demo) or the “Next” button - which is their button for the Scan Only Process they used on the preceding page. This is explained in tiny print.

(They make the buttons large enough to write 2-3 words in easily, but instead try to trick users into making an error. Sheesh. Thanks… wot a nice concept for an AV company… is there any wonder I usually believe AV companies are #1 sources of virus attacks in the first place?!!)

Their scan alerted me that a couple of RealTek drivers were “suspicious” (apparently unsigned) but I could “ignore” them. How nice. OK, fine.

Then I discovered that Hitman didn’t “install” anything except an uninstallable Notifications Alert icon and service. GRRR…

The Refusal To Clean Up After One’s Self has always been a pet-peeve of mine. And it’s especially unpleasant when HitManPro claims to be providing “cloud scanning services” for other AV vendors but apparently forces users to install portions of itself for that "cloud scanning’ service.

But won’t clean up after itself. Nice. Real nice.

This reminds me to do all my AV tests this week on a machine I am planning on wiping out anyway… that’s OK - a few Win8.1’s will do the trick. Their drivers are simply too flakey to leave running Win8.1 for real uses.


#13

[QUOTE=ChristineBCW;2708567]I was playing with HitManPro which offers a Free Scan Only. Except I had to download their software and run the Installation Package, carefully reading to choose between “Install” (the button to install their commercial demo) or the “Next” button - which is their button for the Scan Only Process they used on the preceding page. This is explained in tiny print.

(They make the buttons large enough to write 2-3 words in easily, but instead try to trick users into making an error. Sheesh. Thanks… wot a nice concept for an AV company… is there any wonder I usually believe AV companies are #1 sources of virus attacks in the first place?!!)

Their scan alerted me that a couple of RealTek drivers were “suspicious” (apparently unsigned) but I could “ignore” them. How nice. OK, fine.

Then I discovered that Hitman didn’t “install” anything except an uninstallable Notifications Alert icon and service. GRRR…

The Refusal To Clean Up After One’s Self has always been a pet-peeve of mine. And it’s especially unpleasant when HitManPro claims to be providing “cloud scanning services” for other AV vendors but apparently forces users to install portions of itself for that "cloud scanning’ service.

But won’t clean up after itself. Nice. Real nice.

This reminds me to do all my AV tests this week on a machine I am planning on wiping out anyway… that’s OK - a few Win8.1’s will do the trick. Their drivers are simply too flakey to leave running Win8.1 for real uses.[/QUOTE]
Christine, Hitman Pro uses, Kaspersky, Bitdefender and Eset detections, it actually is a very good program, for a secod chance scanner, its fast and well worth using, but it comes with a Moderate pricetag, 3 computers for 39.00. I happen to like it, and use it on one of my rigs.


#14

I paid attention to it because of its good reputation but it offends me that they will insist on leaving programmer-droppings on a computer for any reason - free or paid. And once they have their hooks into a customer’s pocketbook, what’s to prevent them from setting those hooks in a far more extortionist capacity - a la Symantec who used to replace Windows System files with their own versions so removal of Symantec’s memory-gobblers were nigh-on impossible?

It’s an offensive strategy that displays a willingness to be at least messy and lazy as programmers, or perhaps the more devious extortion-capable software that it’s supposed to protect customers against.

There’s no reason some programmer can insert Registry Entries without removing them… no reason they can’t remove every entry that they create. None - except “lazy”, “thoughtless” or far far worse. Those are NOT the hallmarks of good programming.


#15

Christine, I’ve recently tried this uninstaller program called Revo Uninstaller Pro. It’s done a remarkable job of uninstalling stubborn Chinese malware and programs that avoid being listed in the regular Windows uninstall/install section or CCleaners uninstall tool. Revo Uninstaller even detects the “dropping” in other folders and seems to remove them. I’d recommend you give it a try. I think there is a 30 day free trial period.


#16

Yes, there are 3rd party uninstallers but, still, programmers put in, programmers SHOULD take out. It bothers me that there is a carelessness with ‘wiping their own bottoms’ and I can’t help but wonder, “If the programmers are too stupid or too lazy to do these LITTLE things, exactly how much confidence should I have in their ability to accomplish the BIG things?”

That should be my sig on every complaint I’ve had about Microsoft Office products, too.


#17

For any virus checker company that thinks their detection/definitions coverage is superior… :disagree:

I received this in a Zipped attachment just a moment ago claiming to be from RBS bank about an outstanding invoice.



#18

The AVG subscription at my workplace is about to expire, so we’ve decided to reply to the support agent saying that we’ll not renew unless AVG offers the ability to quarantine e-mail Zip attachments that have any executable files inside.

They’re pretty quick replying back and asked me to forward an example to their labs e-mail address. It didn’t take long for such an e-mail to arrive, which appeared to be from Sky Broadband. I scanned the attachment with VirusTotal and just 2 of 47 checkers detected it (AhnLab-V3 and TrendMicro-HouseCall), with the infection being Zbot / Cryptolocker dropper - A nasty surprise for Sky customers who get their invoice by e-mail. :eek: So I’ve forwarded this infection.

While AVG apologised for this issue, they seemed more interested in me forwarding samples to AVG to improve their definitions than just implementing a blanket block. :doh:

Anyway, I’ll see if anything happens as the mid-February expiration date approaches. If not, we’re planning on moving to a combination of Malwarebytes for Business, Windows 8’s own virus protection and Cryptoprevent updates.


#19

My .02 cents is common sense when clicking on links but so far my usage of Avira free and now switching to MSE has been good and plus it’s free and integrated to Windows Update of which one couldn’t ask for a more for a software to keep up to date with security and malware detection and scanner all in one besides it makes Windows Updating automatic to prevent more holes from being broken through.


#20

[QUOTE=Seán;2715841]The AVG subscription at my workplace is about to expire, so we’ve decided to reply to the support agent saying that we’ll not renew unless AVG offers the ability to quarantine e-mail Zip attachments that have any executable files inside.

They’re pretty quick replying back and asked me to forward an example to their labs e-mail address. It didn’t take long for such an e-mail to arrive, which appeared to be from Sky Broadband. I scanned the attachment with VirusTotal and just 2 of 47 checkers detected it (AhnLab-V3 and TrendMicro-HouseCall), with the infection being Zbot / Cryptolocker dropper - A nasty surprise for Sky customers who get their invoice by e-mail. :eek: So I’ve forwarded this infection.

While AVG apologised for this issue, they seemed more interested in me forwarding samples to AVG to improve their definitions than just implementing a blanket block. :doh:

Anyway, I’ll see if anything happens as the mid-February expiration date approaches. If not, we’re planning on moving to a combination of Malwarebytes for Business, Windows 8’s own virus protection and Cryptoprevent updates.[/QUOTE]

How many of them detect it when you open the zip though?

It could be the case that they don’t scan within zips until you open them.

I’m not sure how those tests work but you can you run them on the .exe to see?

Otherwise it’s extremely worrying that only 2 out of 47 virus checkers picked up on this. :eek:

Kaspersky and Symantec seem to be at the top of their form ATM according to very recent group tests.

For the record MS Security Essentials got the lowest rating blocking only 66 of the 100 live threats tested. :eek:

[B]Wombler[/B]