English Suomi Svenska Deutsch Français Italiano Japanese

  
 
home
support issues.gif
virus-probs.gif
documentation
downloads
Online Services
contact us

home users

Detection of e-mail worms in password-protected files (April 14, 2004)

Support article

Support article

 

 

Detection of e-mail worms in password-protected files

Some e-mail worms, like the widespread Bagle-family, uses password-protected files in an attempt to fool antivirus scanners. F-Secure Anti-Virus provides methods that can be used to detect the presence of suspicious files inside encrypted archive files. These methods provide generic detection and work for all present and future worms that uses a similar technique.

These features are disabled by default due to the fact that they may have a negative impact on the scanning performance. This article describes how a user can enable these features and ensure that worms can’t replicate using password-protected archives.

 

F-Secure Anti-Virus client products

 

These instructions apply to F-Secure Anti-Virus for Workstations and F-Secure Anti-Virus Client Security. These products will detect suspicious password-protected archives as PSW-Worm when the changes have been performed. These changes have a negative impact on the scanning speed for archives in general.

 

Using Policy Manager

  1. Use the View-menu to activate the Advanced mode in Policy Manager.
  2. Select a host or policy domain in the left pane. The change will be applied to the selected host or all hosts belonging to the selected domain or its sub-domains.
  3. Select the Policy tab in the middle pane.
  4. Expand the F-Secure/F-Secure Anti-Virus/Settings branch and select the Plug-ins table.
  5. Use the table editor that is displayed in the right pane to edit the table. Set the Custom settings field for F-Secure AVP to MFlags=0x00170002;f-secure=use_avp_archives
  6. Distribute the new policies.

 

Locally using the poltab tool

 

Issue the following command:

 

poltab -r2 -v5MFlags=0x00170002;f-secure=use_avp_archives 12.1.12

 

This requires the poltab tool that isn’t part of the product delivery package.

 

F-Secure Anti-Virus for Windows Servers

 

Suspicious password-protected archives will be detected as PSW-Worm when the changes have been performed. These changes have a negative impact on the scanning speed for archives in general.

 

Using Policy Manager

  1. Use the View-menu to activate the Advanced mode in Policy Manager.
  2. Select a host or policy domain in the left pane. The change will be applied to the selected host or all hosts belonging to the selected domain or its sub-domains.
  3. Select the Policy tab in the middle pane.
  4. Expand the F-Secure/F-Secure Anti-Virus/Settings branch and select the Plug-ins table.
  5. Use the table editor that is displayed in the right pane to edit the table. Set the Custom settings field for F-Secure AVP to MFlags=0x00170002;f-secure=use_avp_archives
  6. Distribute the new policies.

 

Locally using the poltab tool

 

Issue the following command:

 

poltab -r2 -v5MFlags=0x00170002;f-secure=use_avp_archives 31.1.12

 

This requires the poltab tool that isn’t part of the product delivery package.

 

 

F-Secure Anti-Virus Mail Server and Gateway Products

 

These instructions apply to F-Secure Anti-Virus for Firewalls, F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper. Applying the configuration described below can stop attachments likely to contain worms that use this technique. After these changes have been performed the dropped attachments are by default quarantined and the mails are delivered without the attachment. This change may cause the product to block legitimate attachments that happen to resemble those used by e-mail worms.

 

Using Policy Manager

 

  1. Use the View-menu to activate the Advanced mode in Policy Manager.
  2. Select a host or policy domain in the left pane. The change will be applied to the selected host or all hosts belonging to the selected domain or its sub-domains.
  3. Select the Policy tab in the middle pane.
  4. Expand the F-Secure/F-Secure Content Scanner Server/Settings/Virus Scanning branch, select Suspect Password Protected Archives and set this variable to Treat as Unsafe.
    (Note: F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Extensions Inside Archives setting specifies which password protected archives are suspected.)
  5. Distribute the new policies.

 

 

Locally using the poltab tool
(applies only for F-Secure Anti-Virus for Firewalls)

 

Issue the following command:

 

poltab -r2 -v5MFlags=0x00170002;f-secure=use_avp_archives 18.1.25.10

 

This requires the poltab tool that isn’t part of the product delivery package.

 

 

F-Secure Anti-Virus for MIMEsweeper

This does not apply to F-Secure Anti-Virus for MIMEsweeper as the Clearswift MIMEsweeper product takes care of parsing archives and only passes the files inside to the antivirus scanner. For more information about Clearswift MIMEsweeper’s capability to handle password-protected files, see www.clearswift.com.

Download link: Poltab tool