English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Message not copied to Sent Items if contains problematic attachment
-
Hello
When I say problematic, I mean (in our case) MS Office Documents with macros enabled, which would be, haven't they been whitelisted, stopped by SecurityPlus.
This is not v23.5 related, it happened to couple of users here on a few ocasions in the last year or so, but as these were rare, once we figured what had happened, I didn't do anything more at a time. But we are getting more of these documents and will get even more in the future. And will have the need to send them back as well.I have "Exclude trusted IPs from AntiVirus scanning" enabled and appropriate LAN addresses in Trusted IPs. Also, I've added approved external correspondents to FROM Antivirus Exclusions and this is working fine, except when local senders reply to/forward these documents their Sent Items show no proof of that although recipients (local, as well as external) get their messages.
I've collected couple of these attachments, I can upload them here or send to MDaemon support, but I've just tested and created simplest possible XLSM with macro just entering values in couple of cells and message sent with that attachment experienced the same issue.
Anyone else noticed this?
-
Arron Staff
When an IMAP client uploads a message to a user's sent items folder it typically uses the IMAP APPEND command. Any messages uploaded to the server using this method are scanned by the AV engine.
What does the IMAP log show is happening when the client tries to upload the message to the server?
Are you using ClamAV and Ikarus for AV scanning?
-
Hello Arron
We are using both Ikarus and ClamAV.
You can find typical ALL log segment here for one of the affected messages, but looking at it now I would say that crucial part is here below.
Ikarus says message is clean, ClamAV says nope... "Trusted IPs" settings does not apply to ClamAV?
Thu 2023-10-12 10:14:52.892: [06014134] <-- 0000000a APPEND "Sent Items" (\Seen) "12-Oct-2023 10:14:00 +0200" {284364}
Thu 2023-10-12 10:14:52.895: [06014134] --> + Ready for append literal
Thu 2023-10-12 10:14:52.906: [06014134] Passing message through AntiVirus (Size: 284364)...
Thu 2023-10-12 10:14:54.743: [06014134] * Message scanned by (IKARUS: clean (0.00972s)) (ClamAV: infected (0.77319s)) is infected with Heuristics.OLE2.ContainsMacros.VBA
Thu 2023-10-12 10:14:54.743: [06014134] ---- End AntiVirus results
Thu 2023-10-12 10:14:54.743: [06014134] Message refused because it contains a virus
Thu 2023-10-12 10:14:54.743: [06014134] --> 0000000a NO Message refused because it contains a virus
Thu 2023-10-12 10:14:54.746: [06014134] <-- 0000000b LOGOUT
-
Arron Staff
The option to exclude trusted IPs from AV scanning is not honored by the IMAP server. The options to exclude messages from scanning based on sender or recipient are honored by the IMAP server.
So if a user that is in the AV exclusion list for Exclude messages from these addresses sends an email with spreadsheet attached that includes a macro, it should be uploaded to the sent items folder without an issue.
Is that not happening for you? If its not happening for you, what version of MDaemon are you using?
-
Arron Staff
Also, Updating the IMAP server to honor the option to exclude trusted IPs from AV scanning has been added to the wishlist.
-
The situation is: Selected few external contacts send attachments of this type to some of the local recipients. Recipients process these and send updated attachments back.
These attachments are, so far, government & banking forms, spare parts orders, field service requests (MS DOCs and XLSMs). Recipient(s) are sometimes individual users, but more likely our mailing lists. So, the first quarantine. After release from there, some of these recipients have to fill them out, often involving more people passing these attachments back and forth internally. Meaning, second quarantine. After completion, most of these has to be returned to the original sender or some generic receiving address, So, the third qurantine. Every once in a while, these endup in the Hosted Security Gateway quarantine as well.
I would like to ensure that these attachments go through without quarantining, so the idea was to AV Exclude external senders/recipients, by individual email address and to put internal users in the Trusted IPs list, as there are few domains internally, more precissely one physicall user could have more than one local addresses, so User1@domain1 could forward message to User2@domain1, but can also use User2@domain2. Also, there is no defined path for these as sometimes more departments work on one document or they have to consult manager(s),...
And, of course, I want to do this with as little exclusions as possible. I cannot put *@domain1, *@domain2,... in the AV Exclusions. Also, can not exclude all DOCs and XLSMs.
What would be the most effective way to accomplish this?
For example, could some additional header be used to exclude these from scanning?
MDaemon is v 23.5.
-
Arron Staff
I'm sure you know macros are inherently dangerous. If at all possible, they should be excluded from the documents. I'm guessing that is not possible or you would have done it already.
Another option is to configure ClamAV to allow macros. AV engines should detect malicious office documents whether they have macros or not, so blocking all office documents with macros is an extra layer of protection, but if you need macros in office documents, then turning off macro detection might be the best option. To do this, edit the MDaemon\SecurityPlus\ClamAVPlugin\Conf\clamd.conf file and set:
AlertOLE2Macros no
Save the file and then restart clamd.exe.
If are unable or unwilling to turn it off, then the only current option is to exclude senders/recipients. The problem with this is that you would need to exclude local senders from all virus scanning in order to allow them to upload the message to their sent items folder and you would have to do it based on email address not based on IP.
We will look into applying AV exclusions by IP to IMAP connections for a future version.
-
I can confirm that setting AlertOLE2Macros -> no (or commenting it out) in clamd.conf resolves the issue. Local senders don't even have to be in Trusted IPs for this to work. Btw, no is the default value for this setting.
> I'm sure you know macros are inherently dangerous. If at all possible, they should be excluded from the documents. I'm guessing that is not possible or you would have done it already.
Your guess is correct. It is not possible. All of these documents are required by our various partners.
To tell you the truth, I'm staggered that all of these are being handeled by their email infrastructure without any issue. These are all large companies, banks, even government entities with (I'm guessing) considerable IT staff/resources/know-how and they are letting them pass no problem at all. I even tried playing with couple of them, changing original macros, adding new and still they went through just fine.Hope this with IP exclusions applied to IMAP as well gets implemented soon. Seems a little bit more precise control then de-restricting scanning all macro containing attachments
Thank you Arron
