Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nikolajs_Matjus
Participant

Malicious file sent through Sandblast

Hello !

Customer was able to send the attached file through sandblast with AV/TE/TEX enabled ...

if the file is renamed to .7z - it turns to be a password-protected archive (passwd: TestCase02) with vbs script ...

What have we done wrong ?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Note: I have removed the attachment to the original post.

vbs files are only emulated when received via email (i.e. when SandBlast is configured as an MTA).

When they are received via HTTP/HTTPS, they are not emulated. 

This is documented here: File types supported by SandBlast Threat Emulation 

0 Kudos
Hugo_vd_Kooij
Advisor

What is the policy on password encrypted files?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

For this site? I removed the file because it contains malware. 

How Threat Extraction handles them? It depends on your profile setting.

0 Kudos
Nikolajs_Matjus
Participant

Hi !

The policy is to block encrypted file attachments.

However this file has passed through TE/TEX and user can download original file.

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

If the original file was an archive (I can´t see it from your post only) it is currently not supported with TX hence your "Encrypted content block" TX feature does not apply. Archive support for TX is on the roadmap.

That said if received via email it should have been emulated and catched by TE as Daemon already mentioned.

If this was not the case please open a support ticket with your information.


Regards Thomas

0 Kudos
Hugo_vd_Kooij
Advisor

Nikolajs,

Can you clarify the rename to .7z remark in your question. Were you using another extension on the file and was that sufficient to bypass TE/TEX?

Please think of us of people who know nothing about your setup (which is true) and describe the steps to reproduce this exactly.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events