Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4771
Views
5
Helpful
6
Replies

Can Ironport handle RAR files?

Go to solution
steveshipway
Level 1
Level 1

‎06-06-2013 09:21 PM

We're starting to get malicious content embedded in RAR files attached to emails.  This shouldnt be a problem as we have a policy to quarantine any emails with executable attachemnts coming in.

It appears that, although the Ironport recognises the .rar attachement as a compressed container, it is unable to expand it, and so this malicious EXE is getting through.  They have also made it just bigger than 250MB so that it is missed by the CASE and VOF scanner limits.

We're using AsyncOS 7.1.5-017 on a C360.

Steve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andreas Mueller
Level 4
Level 4

‎06-10-2013 04:41 AM

Hello Steve,

just as an addition, with AsyncOS 7.6  RAR archives are supported in filters as well, including expansion and all the functionality you know from other archive types such as ZIP.  However, as Encrico already said, viral executables that come in RARs are already detected by Antivirus and VOF in the version you are running, so there should not be a problem there.

Hope that helps,

Andreas

View solution in original post

6 Replies 6

Go to solution
Enrico Werner
Cisco Employee
Cisco Employee

‎06-10-2013 03:48 AM

Hi Steve,

in order to detect rar files you need to create a filter based on file extension (filename) or mimetype. However, Sophos AV and McAfee AV fully support RAR. So there will be no issue in detecting virus infected emails including rar archives. The CASE maximum scanning size for the 'always' scan size could be increased from 256kb to 512kb. Once done check if it has any impact on the performance. If not significantly high then you can keep 512kb configured as Spam messages have increased in size in the past.

Regards,

Enrico

0 Helpful

Go to solution
steveshipway
Level 1
Level 1
In response to Enrico Werner

‎06-10-2013 02:52 PM

This is true, but our issue is that we do not want to block RAR files per se, only the ones that contain executables.  With ZIP files, they are deep-inspected and so content filters can test the file sytems held within the ZIP.  With RAR, you can only see that a RAR file is present, not what is inside.

The CASE maximum size appears to only be configurable in AsycOS 7.5 and later - we are running 7.1.5 on our C360 devices here.

Steve

0 Helpful

Go to solution
Bechara.abouraha
Level 1
Level 1
In response to Enrico Werner

‎11-27-2014 05:26 AM

Hi Enrico,

 

btw Mcafee antivirus cant scan RAR files, even a test virus cant stop it, below is an example:

 

7 Nov 2014 15:00:06 (GMT +02:00)Message 329833 scanned by Anti-Virus engine McAfee. Interim verdict: CLEAN
27 Nov 2014 15:00:06 (GMT +02:00)Message 329833 scanned by Anti-Virus engine Sophos. Interim verdict: REPAIRED
27 Nov 2014 15:00:06 (GMT +02:00)Message 329833 scanned by Anti-Virus engine. Repaired message parts: 'EICAR-AV-Test'
27 Nov 2014 15:00:06 (GMT +02:00)Message ID 329833 rewritten to new message ID 329834 by antivirus.
0 Helpful

Go to solution
Andreas Mueller
Level 4
Level 4

‎06-10-2013 04:41 AM

Hello Steve,

just as an addition, with AsyncOS 7.6  RAR archives are supported in filters as well, including expansion and all the functionality you know from other archive types such as ZIP.  However, as Encrico already said, viral executables that come in RARs are already detected by Antivirus and VOF in the version you are running, so there should not be a problem there.

Hope that helps,

Andreas

Go to solution
steveshipway
Level 1
Level 1
In response to Andreas Mueller

‎06-10-2013 02:53 PM

This is good to know (that the functionality is available in AsyncOS 7.6) however, our C360 devices run 7.1, and so it seems we're unable to do it until we find some way to upgrade -- and I think 7.6 is not supported by C360s.

Thanks,

Steve

0 Helpful

Go to solution
Valter Da Costa
Cisco Employee
Cisco Employee
In response to steveshipway

‎06-10-2013 02:58 PM

Hi Steve,

I see you mentioned your appliances are in 7.1 version. It is possible you will need to perform two ugprades in order to get your appliances running 7.6. Please try to upgrade from 7.1 to the next and most recent version possible. When you finish that upgrade, reboot as part of the process and run upgrade again. You may see 7.6 version after that. You can also open a support case and ask for upgrade path. You will need to inform the serial number of the device so the Engineer can get tha upgrade path for you. The Release Notes doc also can provide the upgrade path. You can download the upgrade path from:

http://www.cisco.com/en/US/products/ps10154/prod_release_notes_list.html

I hope this helps.

Regards,

Valter

0 Helpful
Customers Also Viewed These Support Documents