Filter Error | MDaemon Technologies, Ltd.

Filter Error


  • HI, 

    Since the last update 9.0.0

    The message content filter does not work correctly.

    It is generating an error when scanning documents.

    We have a filter that checks if the word "Bitcoin" exists in the body of the message, this worked correctly. Now it gives us an error.

    Tue 2023-01-17 13:51:54: -- Ejecutando: bitcoin --
    Tue 2023-01-17 13:51:54: Ocurrió un error al extraer texto del archivo ARCHIVO INCLUSION CARTERA.xlsx
    Tue 2023-01-17 13:51:54:
    Tue 2023-01-17 13:51:54: -- Término: bitcoin (0.367002 segundos) --
    *****                
    Tue 2023-01-17 13:51:57: * Escaneo de mensaje fallido
    Tue 2023-01-17 13:51:57: ** Fileinto admin

    this is the rule 

    /* message content filter rule */
    require ["securitygateway","reject","fileinto","envelope","body","regex"];
    if allof(body :subject :text :contains "bitcoin")
    {
    fileinto "spam";
    }

    I have also observed that all the exel files that are sent to us with macros are marked as viruses.

    And in the SG configuration, the option of: Mark as attached virus with documents that contain macros is unchecked

    Tue 2023-01-17 13:06:11: RCPT Domain = commcenter.es
    Tue 2023-01-17 13:06:11: -- Ejecutando: Blacklist --
    Tue 2023-01-17 13:06:11: -- Término: Blacklist (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: URI Blacklists (URIBL) --
    Tue 2023-01-17 13:06:11: -- Término: URI Blacklists (URIBL) (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: SpamAssassin --
    Tue 2023-01-17 13:06:11: -- Término: SpamAssassin (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Mail Nocivo --
    Tue 2023-01-17 13:06:11: -- Término: Mail Nocivo (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Disa --
    Tue 2023-01-17 13:06:11: -- Término: Disa (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: bitcoin --
    Tue 2023-01-17 13:06:11: Ocurrió un error al extraer texto del archivo 00000APH 20230116 Informe KPIs operativos Detalle Vendedor.xlsm
    Tue 2023-01-17 13:06:11: 
    Tue 2023-01-17 13:06:11: -- Término: bitcoin (0.498074 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Cuarentena GLS --
    Tue 2023-01-17 13:06:11: -- Término: Cuarentena GLS (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Contraseña --
    Tue 2023-01-17 13:06:11: -- Término: Contraseña (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Contiene URL Activa --
    Tue 2023-01-17 13:06:11: -- Término: Contiene URL Activa (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Contiene IP --
    Tue 2023-01-17 13:06:11: -- Término: Contiene IP (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: IP Pictel --
    Tue 2023-01-17 13:06:11: -- Término: IP Pictel (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: @secosum.com IP Virus --
    Tue 2023-01-17 13:06:11: -- Término: @secosum.com IP Virus (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: IP Pictel Mensaje  --
    Tue 2023-01-17 13:06:11: -- Término: IP Pictel Mensaje  (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: pagofacilde@telefonicaconsumerfinance.net --
    Tue 2023-01-17 13:06:11: -- Término: pagofacilde@telefo.........sumerfinance.net (0.000000 segundos) --
    Tue 2023-01-17 13:06:11: -- Ejecutando: Domain: commcenter.es - Anti-Virus --
    Tue 2023-01-17 13:06:11: Procesando el mensaje con el anti-virus (Tamaño: 5190813)...
    Tue 2023-01-17 13:06:11: *  Escaneando el mensaje utilizando: ClamAV for SecurityGateway
    Tue 2023-01-17 13:06:24: * Mensaje infectado con Xls.Exploit.LokiBot-9983602-0 virus
    Tue 2023-01-17 13:06:24: ** Fileinto admin
    Tue 2023-01-17 13:06:24: -- Término: Domain: commcenter.es - Anti-Virus (12.268339 segundos) --
    Tue 2023-01-17 13:06:24: -- Ejecutando: Domain: commcenter.es - Outbreak Protection (Anti-Virus) --
    Tue 2023-01-17 13:06:24: Procesando el mensaje con Outbreak Protection (Tamaño: 5190813)…
    Tue 2023-01-17 13:06:25: *  Reference-ID: str=0001.0A782F18.63C68F41.004A,ss=1,re=0.000,recu=0.000,reip=0.000,vtr=str,vl=0,cl=1,cld=1,fgs=0
    Tue 2023-01-17 13:06:25: *  Nivel de amenaza de Spam: Clean
    Tue 2023-01-17 13:06:25: *  Nivel de amenaza del Virus: Clean
    Tue 2023-01-17 13:06:25: -- Término: Domain: commcenter.es - Outbreak Protection (Anti-Virus) (1.310720 segundos) --
    Tue 2023-01-17 13:06:25: -- Ejecutando: Domain: commcenter.es - Outbreak Protection (Spam) --
    Tue 2023-01-17 13:06:25: -- Término: Domain: commcenter.es - Outbreak Protection (Spam) (0.000000 segundos) --
    Tue 2023-01-17 13:06:25: -- Ejecutando: Domain: commcenter.es - DMARC --

    This macros is clean.

    These macros are clean, and do not contain any kind of virus. 

    Do you know what could be happening?

     





  • Are there any errors in the Windows event log for filterhost.exe?  If there are, can you post the information from the error?  What operating system in SecurityGateway running on?

    The excel file is not being flagged because it has a macro, a virus is being detected in the file.  If you believe this is a false positive, you can submit a false positive to ClamAV by submitting the form here:

    https://www.clamav.net/reports/malware

     


  • Yes, it is generating errors.

    Nombre de la aplicación con errores: FilterHost.exe, versión: 0.0.0.0, marca de tiempo: 0x62c5e2b6
    Nombre del módulo con errores: MSVCP140.dll, versión: 6.3.9600.20718, marca de tiempo: 0x636f3964
    Código de excepción: 0xc0000135
    Desplazamiento de errores: 0x00000000000ed1b0
    Identificador del proceso con errores: 0xbb0
    Hora de inicio de la aplicación con errores: 0x01d92b4bb7b3affa
    Ruta de acceso de la aplicación con errores: C:\Program Files\MDaemon Technologies\SecurityGateway\app\FilterHost.exe
    Ruta de acceso del módulo con errores: MSVCP140.dll
    Identificador del informe: f56e88ac-973e-11ed-80f5-00155d0a9f09
    Nombre completo del paquete con errores: 
    Identificador de aplicación relativa del paquete con errores: 

    It is installed on a Windows Server 2012 R2 (ES) 64bit

     


  • This issue has been fixed for SG 9.0.1, which should be releasled to beta very soon. 

    You should be able to correct it now by installing the Microsoft Visual C++ 2015 Redistributable.  


  • Javier,

    You can download the Visual C++ Redistributable for Visual Studio 2015 from https://www.microsoft.com/en-gb/download/details.aspx?id=48145.

    Can you upload the .xls file to virus total?  What does it report?


  • The .xls is clean, I report. 

     

     


Please login to reply this topic!