How to block attached files, or infected with virus/malware

Juan Carlos Gtz

Hi all,

We need to block certain content attached to the emails, such as PPT, EXE files for example.

Also, Id like to know how to activathe the analysis of files that come as attachments, in order to verify if that files infected by malware, ramsonware, etc. If they are infected, howo to avoid to pass to our LAN or to be stored in our internal servers.

With what modules and how can we improve our security in this, using PfSense?

Regards,
JCGA.

badgast

No experience with files (and scanning), but a good start could be Pfblocker. Deny your clients visits to "questionable" sites in the first place, better be safe than sorry....
A good help for me was : https://www.youtube.com/watch?v=QwFpMwXEK5w

Pfblocker has the same effect as using a Pi-hole for a DNS redirect.

I don't think blocking files is the main purpose of a firewall, but maybe......

Grimson

@Juan-Carlos-Gtz said in How to block attached files, or infected with virus/malware:

We need to block certain content attached to the emails, such as PPT, EXE files for example.

Also, Id like to know how to activathe the analysis of files that come as attachments, in order to verify if that files infected by malware, ramsonware, etc. If they are infected, howo to avoid to pass to our LAN or to be stored in our internal servers.

That's a job for a well configured mailserver/relay, not for a firewall.

marvosa

There used to be a MailScanner package back in the day, but that's long gone. The only AV option left is now integrated within Squid, which can be leveraged to scan downloads from the web, but I don't think it will scan email attachments (someone chime in if I'm mistaken).

The important thing to remember is PFsense is a firewall, not a UTM. If you want effective UTM features, you will need to implement a proper UTM. There's no way around it.

One option would be to implement something like Untangle. This is what I do at home. I have Untangle running in bridge mode on VM and it works wonderfully sitting inline between PFsense and my core switch.

If you're only concerned with email filtering, another option would be to spin up a spam filter/email gateway and have your mail sent to it first and then relayed to your mail server. There are various free/open source options out there... e.g. Spamassassin, Mailborder, Mailcleaner, MailScanner, etc. A commercial option would be something like Zix.

Gertjan

@Juan-Carlos-Gtz said in How to block attached files, or infected with virus/malware:

Id like to know how to activathe the analysis of files that come as attachments

You're talking about mails, right ?
Forget about a firewall loading the entire mail, unpack it, scan all the (if present) attachments ans check for 'illegal' content.
First : people that receive mails and open attachments that are executable, should be taken outside
( ... ) The mail could be - sorry, we are 2019 - will be SSL encrypted so the firewall can't see nothing - never. Forget being an MITM.
Second : focus your mail server : as @Grimson : that's the one that can do all this for you, before he stores the mail in the "mail box", it can scan mails up until you imagination, and even more then that. You can't control your mail server ? take one where YOU have control (and finally you will run your own MX and you'll be free, at last).

stephenw10

Yes, use an external mailserver to do that.

The only option you have in pfSense is this:
https://forum.netgate.com/topic/113692/mailscanner-unofficial-package-for-pfsense-2-3-x

But as it says there it's very much unofficial. If you choose to go that route it will probably break at updates etc. There will be significant maintenance requirement from you and the package maintainer. Which might stop at any point.

Steve

JoseDiaz

This post is deleted!

stephenw10

Not really. There is ClamAV for Squid but it can only check what Squid caches which isn't much these days unless you have full SSL interception.
Or there is Snort/Suricata but they are not really intended to be antivirus.

Steve

bmeeks

It's somewhere between "very hard" and "darn near impossible" these days to detect a virus or malware over the network wire because so much traffic is encrypted now. The primary encryption method is SSL. So firewalls and IDS/IPS engines can no longer inspect the payloads of encrypted packets unless you are doing full man-in-the-middle SSL interception as @stephenw10 mentioned.

Virus and malware detection now really needs to be done on the endpoint client because that's where the final decryption occurs.

The best defense is being vigilent with applying security fixes to all the software on your endpoint devices.

Gertjan

@bmeeks said in How to block attached files, or infected with virus/malware:

Virus and malware detection now really needs to be done on the endpoint client because that's where the final decryption occurs.

That is, today, mail servers still store the mail in clear text.
So, when received, all mail, incoming and outgoing can be - and should be - filtered. One of the first filters should be a known spam / known antivirus filter. The last filter is typically something called "DKIM" that adds a signature to the mail, so the receiving part can check the origin and validity of a mail. Example : when you send a mail to a gmail account today, using IPv6, gmail will not accept the mail if SPF + DKIM => DMARC doesn't pass the check.

When the mail account user interacts with his mail box, using a mail client, the mail is passed through an SSL layer again.

A mail server belongs on a dedicated device (server) equipped with a 'simple' firewall, fed by a tools like fail2ban so slammers and 'rule breaking mails servers' (read : quick and dirty mail spammer servers) are recognized and blocked.

My advise : never ever run a mail server on pfSense. And also : no need to put pfSense in front of a mail server.

bestinhash

This post is deleted!