How to block attached files, or infected with virus/malware



  • Hi all,

    We need to block certain content attached to the emails, such as PPT, EXE files for example.

    Also, Id like to know how to activathe the analysis of files that come as attachments, in order to verify if that files infected by malware, ramsonware, etc. If they are infected, howo to avoid to pass to our LAN or to be stored in our internal servers.

    With what modules and how can we improve our security in this, using PfSense?

    Regards,
    JCGA.



  • No experience with files (and scanning), but a good start could be Pfblocker. Deny your clients visits to "questionable" sites in the first place, better be safe than sorry....
    A good help for me was : https://www.youtube.com/watch?v=QwFpMwXEK5w

    Pfblocker has the same effect as using a Pi-hole for a DNS redirect.

    I don't think blocking files is the main purpose of a firewall, but maybe......



  • @Juan-Carlos-Gtz said in How to block attached files, or infected with virus/malware:

    We need to block certain content attached to the emails, such as PPT, EXE files for example.

    Also, Id like to know how to activathe the analysis of files that come as attachments, in order to verify if that files infected by malware, ramsonware, etc. If they are infected, howo to avoid to pass to our LAN or to be stored in our internal servers.

    That's a job for a well configured mailserver/relay, not for a firewall.



  • There used to be a MailScanner package back in the day, but that's long gone. The only AV option left is now integrated within Squid, which can be leveraged to scan downloads from the web, but I don't think it will scan email attachments (someone chime in if I'm mistaken).

    The important thing to remember is PFsense is a firewall, not a UTM. If you want effective UTM features, you will need to implement a proper UTM. There's no way around it.

    One option would be to implement something like Untangle. This is what I do at home. I have Untangle running in bridge mode on VM and it works wonderfully sitting inline between PFsense and my core switch.

    If you're only concerned with email filtering, another option would be to spin up a spam filter/email gateway and have your mail sent to it first and then relayed to your mail server. There are various free/open source options out there... e.g. Spamassassin, Mailborder, Mailcleaner, MailScanner, etc. A commercial option would be something like Zix.



  • @Juan-Carlos-Gtz said in How to block attached files, or infected with virus/malware:

    Id like to know how to activathe the analysis of files that come as attachments

    You're talking about mails, right ?
    Forget about a firewall loading the entire mail, unpack it, scan all the (if present) attachments ans check for 'illegal' content.
    First : people that receive mails and open attachments that are executable, should be taken outside
    ( ... ) The mail could be - sorry, we are 2019 - will be SSL encrypted so the firewall can't see nothing - never. Forget being an MITM.
    Second : focus your mail server : as @Grimson : that's the one that can do all this for you, before he stores the mail in the "mail box", it can scan mails up until you imagination, and even more then that. You can't control your mail server ? take one where YOU have control (and finally you will run your own MX and you'll be free, at last).


  • Netgate Administrator

    Yes, use an external mailserver to do that.

    The only option you have in pfSense is this:
    https://forum.netgate.com/topic/113692/mailscanner-unofficial-package-for-pfsense-2-3-x

    But as it says there it's very much unofficial. If you choose to go that route it will probably break at updates etc. There will be significant maintenance requirement from you and the package maintainer. Which might stop at any point.

    Steve


Log in to reply