The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reject emails with ZIP files containing EXE files

Discussion in 'Workarounds and Optimization' started by Diniel, Mar 24, 2013.

  1. Diniel

    Diniel Member

    Joined:
    Jan 31, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Gmail automatically rejects emails with ZIP attachments that contain either other ZIPs or executable programs

    How can I get cPanel / Clam AV to do that?

    I'm getting a crazy number of users complaining that they were stupid enough to run an attachment to an email from "FedEx" or a "Flight e-ticket" etc... their fault really, but they are assuming that their email gets to them safely because they know it's checked for viruses. The attachments aren't always viruses, and sometimes they're delivered before ClamAV knows about that particular virus. The easy answer seems to be to block all executables: so rare is it that they'd be sent legitimately I don't think there could be a downside.

    I *don't* want to reject ZIP attachments, only ZIPs that include executables (so *.exe, *.bat, *.com, *.pif)
     
  2. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    There is an option in Exim to reject emails with dangerous attachments. Log into your WHM >> click on Service Configuration >> Exim Configuration Editor. In the second section down (titled Filters), the very top line should read "Reject messages with potentially dangerous attachments". You can check this box. I believe by default, exim is set up to reject messages with "potentially dangerous attachments". You can see a list of which file extensions Exim is currently blocking in this file..

    You can also configure filter to discard certain email attachments like .tar.gz, exe etc from users cPanel >> User Level Filtering

    Cheers!!!
     
  3. Alejandro P

    Alejandro P Well-Known Member

    Joined:
    Apr 6, 2007
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello, the mentioned file recommends

    And this is certainly what we need to stop.

    ClamAV is not detecting this virus variants and it is becoming more an more common each day. Any working alternatives to prevent this emails from being delivered?
     
  4. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    The fake invoice .zip files are really running wild at the moment. Would be interested in knowing if it's possible to implement what the original poster was asking.

    - Scott
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    There are no native features that will block zip attachments with .exe or .zip files within the archive. Feel free to submit a feature request for this via:

    Submit A Feature Request

    Thank you.
     
  6. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    I found a simple way of blocking zipped executable attachments using a custom ClamAV rule over at gossamer-threads.com/lists/clamav/users/60385.

    1) Create the custom rule file in the ClamAV database directory. For cPanel, the database directory is /usr/local/cpanel/3rdparty/share/clamav. Save the custom rule file with an extension .cdb (I think it stands for custom db) so that ClamAV will recognize it.

    Example using nano:
    nano /usr/local/cpanel/3rdparty/share/clamav/exe_in_archive.cdb

    The file contents lists the zipped file extension we do not want to accept:
    Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
    Archived_SCR:*:*:.*\.scr:*:*:*:*:*:*
    Archived_PIF:*:*:.*\.pif:*:*:*:*:*:*
    Archived_COM:*:*:.*\.com:*:*:*:*:*:*


    2) Save the file and restart the ClamAV service:

    /usr/local/cpanel/scripts/restartsrv_clamd

    That's it!
     
    #6 Stefaans, Jun 4, 2015
    Last edited by a moderator: Jun 15, 2015
  7. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    My solution above works well, but unfortunately a bit too well! I found that any filesystem scan by ClamAV (e.g. when using ConfigServer Exploit Scanner) would have the custom rule trigger. This has been causing problems for clients uploading WordPress and other installation packages. So, back to Google...

    I found a nice alternative solution that uses Exim and Exiscan, thus scanning email only. The original instructions are at lucamattarozzi.blogspot.ca/2014/09/exim-block-windows-dangerous-file.html . Here is my version, changed for a cPanel server.

    Step 1) Create the shell script that will peak inside ZIP attachments
    I am calling the script /etc/exim_check_zip.sh

    #/bin/bash
    cd "/var/spool/exim/scan/${1}"
    for i in $( ls | egrep -i '[.]zip' )
    do
    if [ $( unzip -l "${i}" | \
    tail -n +4 |head -n -2 | \
    egrep -i '[.](bat|cmd|com|cpl|exe|msi|vb|vbs)$' | \
    wc -l ) -gt 0 ]
    then
    exit 1
    fi
    done
    exit 0


    The script detects files with extention bt, cmd, com etc. You can modify the list to add or remove file extensions as you see fit.

    Step 2) Configure Exim to use the shell script and block messages with unwanted attachments
    • In WHM, open the Exim Configuration Manager and then go to the Advanced Editor.
    • Scroll down to the section named custom_end_exiscanall. (I suspect that the custom_start_exiscanall will work as well, but did not test it.)
    • Enter the following text in the input box, scrool down and Save to rebuild the Exim configuration:
    deny message = Attachment has potentially harmful file inside zip attachment
    log_message = Zip attachment with executable file rejected.
    demime = zip
    condition = ${run{/bin/sh -c '/etc/exim_check_zip.sh $message_exim_id'}{0}{1}
    }

    I hope this helps keeping those bad emails out of inboxes!
     
    #7 Stefaans, Jun 12, 2015
    Last edited by a moderator: Jun 15, 2015
    John W likes this.
  8. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    this script does not work for me.

    it seem to bounce all zip file.

    i test

    a zip file with txt
    a zip file with reg
    a zip file with exe

    all bounce

    my vps is
    CENTOS 6.6 x86_64 virtuozzo WHM 11.48.4 (build 4)
    ConfigServer Security & Firewall - csf v7.73

    plugin
    Name: clamavconnector
    Author: cPanel Inc.
    Installed Version:
    Version: 0.97.8-3.6
     
    #8 steventay, Jul 8, 2015
    Last edited by a moderator: Mar 7, 2016
  9. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    i have enter the below entension. is it better and using this method seem work.

    is this is the better method?

    Archived_BAT:*:*:.*\.bat:*:*:*:*:*:*
    Archived_BTM:*:*:.*\.btm:*:*:*:*:*:*
    Archived_CMD:*:*:.*\.cmd:*:*:*:*:*:*
    Archived_COM:*:*:.*\.com:*:*:*:*:*:*
    Archived_CPL:*:*:.*\.cpl:*:*:*:*:*:*
    Archived_DAT:*:*:.*\.dat:*:*:*:*:*:*
    Archived_DLL:*:*:.*\.dll:*:*:*:*:*:*
    Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
    Archived_LNK:*:*:.*\.lnk:*:*:*:*:*:*
    Archived_MSI:*:*:.*\.msi:*:*:*:*:*:*
    Archived_PIF:*:*:.*\.pif:*:*:*:*:*:*
    Archived_PRF:*:*:.*\.prf:*:*:*:*:*:*
    Archived_REG:*:*:.*\.reg:*:*:*:*:*:*
    Archived_SCR:*:*:.*\.scr:*:*:*:*:*:*
    Archived_VB:*:*:.*\.vb:*:*:*:*:*:*
    Archived_VBS:*:*:.*\.vbs:*:*:*:*:*:*
    Archived_URL:*:*:.*\.url:*:*:*:*:*:*
    Archived_PIF:*:*:.*\.pif:*:*:*:*:*:*
     
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've been looking for exactly this.
    Please keep us updated of the outcome.
     
  11. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    @steventay The solution that I posted worked fine in WHM 11.48 at the time and currenlty works fine in WHM 11.50. (And keep in mind that I simply tweaked someone else's working solution.)

    My guess is that Exim is not getting a 0 response from the bash script for a regular zip file as it should. You have the contents of /etc/exim_check_zip.sh file exactly as I posted, right? And the script permissions as rwxr-xr-x (755)? And the condition statement in your Exim configuration is referencing the bash script path exactly, right?

    I have attached the shell script. Unzip it and see if it works for you ;)
     

    Attached Files:

    John W likes this.
  12. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore

    final testing.. i have set the persmission.

    it is able to run if i use yr file.

    i create as below and it is not working

    #/bin/bash
    cd "/var/spool/exim/scan/${1}"
    for i in $( ls | egrep -i '[.]zip' )
    do
    if [ $( unzip -l "${i}" | \
    tail -n +4 |head -n -2 | \
    egrep -i '[.](bat|cmd|com|cpl|exe|msi|reg|vb|vbs)$' | \
    wc -l ) -gt 0 ]
    then
    exit 1
    fi
    done
    exit 0

    latest update as below..

    i use yr file and insert below inside without enter new line
    reg|

    and it working now and also block reg

    thank you.
     
    #12 steventay, Jul 9, 2015
    Last edited: Jul 9, 2015
  13. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    one qs.. does the unzip able to test for 7z and rar file?
     
  14. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    Glad you got it working! The bash script uses the unzip command, which means it tests for ZIP files only.
     
  15. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    oic. thank you.

    i have found other solutions as below...

    i) mailshark
    i found one cloud solution for checking attachment.

    mailshark.com.au

    this free cloud able to block virus attachment and Prohibited File like exe even within the zip file.

    the only bad things is the quarantine report is send daily only and have to login to the website to see and not from the email report to release the email.

    i tested for awhile only and below is the status

    Processed 54
    Clean 50
    High scoring spam 1
    Low scoring spam 1
    Virus infected 0
    Policy blocked 2
    Inbound queues 0
    Outbound queues 0

    mailshark can help to create additional policy block attachment under your domain.


    ii) mxguarddog
    another free cloud solution which i use for few yrs

    mxguarddog.com

    you can specific what attachment to be block and release can be done from the email report send 4 times a day.

    the only bad is they cannot scan attachment within zip whether is there those extension you block.

    it only can do level 1 scan.
     
    #15 steventay, Jul 10, 2015
    Last edited by a moderator: Mar 7, 2016
  16. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    hi Stefaans,

    the script work for zip

    recently received rar file with exe inside.

    is it possible to check rar and 7z compress file at the same time?
     
    #16 steventay, Mar 7, 2016
    Last edited: Mar 7, 2016
  17. steven168

    steven168 Member

    Joined:
    Jan 20, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    hi Stefaans,

    some how the same script does not work in WHM 54.0 (build 19).
     
  18. Richard Franklin

    Joined:
    Mar 10, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I've been looking for exactly this.
    Please keep us updated of the outcome.:)
     

Share This Page