Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Malicious file sent through Sandblast

Hello !

Customer was able to send the attached file through sandblast with AV/TE/TEX enabled ...

if the file is renamed to .7z - it turns to be a password-protected archive (passwd: TestCase02) with vbs script ...

What have we done wrong ?

0 Kudos
6 Replies
Highlighted
Admin
Admin

Note: I have removed the attachment to the original post.

vbs files are only emulated when received via email (i.e. when SandBlast is configured as an MTA).

When they are received via HTTP/HTTPS, they are not emulated. 

This is documented here: File types supported by SandBlast Threat Emulation 

0 Kudos

What is the policy on password encrypted files?

0 Kudos
Highlighted
Admin
Admin

For this site? I removed the file because it contains malware. 

How Threat Extraction handles them? It depends on your profile setting.

0 Kudos
Highlighted

Hi !

The policy is to block encrypted file attachments.

However this file has passed through TE/TEX and user can download original file.

0 Kudos
Highlighted
Employee++
Employee++

If the original file was an archive (I can´t see it from your post only) it is currently not supported with TX hence your "Encrypted content block" TX feature does not apply. Archive support for TX is on the roadmap.

That said if received via email it should have been emulated and catched by TE as Daemon already mentioned.

If this was not the case please open a support ticket with your information.


Regards Thomas

0 Kudos
Highlighted

Nikolajs,

Can you clarify the rename to .7z remark in your question. Were you using another extension on the file and was that sufficient to bypass TE/TEX?

Please think of us of people who know nothing about your setup (which is true) and describe the steps to reproduce this exactly.

0 Kudos