Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block attached files, or infected with virus/malware

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 9 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Juan Carlos Gtz
      last edited by

      Hi all,

      We need to block certain content attached to the emails, such as PPT, EXE files for example.

      Also, Id like to know how to activathe the analysis of files that come as attachments, in order to verify if that files infected by malware, ramsonware, etc. If they are infected, howo to avoid to pass to our LAN or to be stored in our internal servers.

      With what modules and how can we improve our security in this, using PfSense?

      Regards,
      JCGA.

      GrimsonG GertjanG 2 Replies Last reply Reply Quote 0
      • badgastB
        badgast
        last edited by

        No experience with files (and scanning), but a good start could be Pfblocker. Deny your clients visits to "questionable" sites in the first place, better be safe than sorry....
        A good help for me was : https://www.youtube.com/watch?v=QwFpMwXEK5w

        Pfblocker has the same effect as using a Pi-hole for a DNS redirect.

        I don't think blocking files is the main purpose of a firewall, but maybe......

        1 Reply Last reply Reply Quote 0
        • GrimsonG
          Grimson Banned @Juan Carlos Gtz
          last edited by

          @Juan-Carlos-Gtz said in How to block attached files, or infected with virus/malware:

          We need to block certain content attached to the emails, such as PPT, EXE files for example.

          Also, Id like to know how to activathe the analysis of files that come as attachments, in order to verify if that files infected by malware, ramsonware, etc. If they are infected, howo to avoid to pass to our LAN or to be stored in our internal servers.

          That's a job for a well configured mailserver/relay, not for a firewall.

          1 Reply Last reply Reply Quote 1
          • M
            marvosa
            last edited by marvosa

            There used to be a MailScanner package back in the day, but that's long gone. The only AV option left is now integrated within Squid, which can be leveraged to scan downloads from the web, but I don't think it will scan email attachments (someone chime in if I'm mistaken).

            The important thing to remember is PFsense is a firewall, not a UTM. If you want effective UTM features, you will need to implement a proper UTM. There's no way around it.

            One option would be to implement something like Untangle. This is what I do at home. I have Untangle running in bridge mode on VM and it works wonderfully sitting inline between PFsense and my core switch.

            If you're only concerned with email filtering, another option would be to spin up a spam filter/email gateway and have your mail sent to it first and then relayed to your mail server. There are various free/open source options out there... e.g. Spamassassin, Mailborder, Mailcleaner, MailScanner, etc. A commercial option would be something like Zix.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Juan Carlos Gtz
              last edited by

              @Juan-Carlos-Gtz said in How to block attached files, or infected with virus/malware:

              Id like to know how to activathe the analysis of files that come as attachments

              You're talking about mails, right ?
              Forget about a firewall loading the entire mail, unpack it, scan all the (if present) attachments ans check for 'illegal' content.
              First : people that receive mails and open attachments that are executable, should be taken outside
              ( ... ) The mail could be - sorry, we are 2019 - will be SSL encrypted so the firewall can't see nothing - never. Forget being an MITM.
              Second : focus your mail server : as @Grimson : that's the one that can do all this for you, before he stores the mail in the "mail box", it can scan mails up until you imagination, and even more then that. You can't control your mail server ? take one where YOU have control (and finally you will run your own MX and you'll be free, at last).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yes, use an external mailserver to do that.

                The only option you have in pfSense is this:
                https://forum.netgate.com/topic/113692/mailscanner-unofficial-package-for-pfsense-2-3-x

                But as it says there it's very much unofficial. If you choose to go that route it will probably break at updates etc. There will be significant maintenance requirement from you and the package maintainer. Which might stop at any point.

                Steve

                1 Reply Last reply Reply Quote 0
                • JoseDiazJ
                  JoseDiaz Banned
                  last edited by stephenw10

                  This post is deleted!
                  B 1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Not really. There is ClamAV for Squid but it can only check what Squid caches which isn't much these days unless you have full SSL interception.
                    Or there is Snort/Suricata but they are not really intended to be antivirus.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      It's somewhere between "very hard" and "darn near impossible" these days to detect a virus or malware over the network wire because so much traffic is encrypted now. The primary encryption method is SSL. So firewalls and IDS/IPS engines can no longer inspect the payloads of encrypted packets unless you are doing full man-in-the-middle SSL interception as @stephenw10 mentioned.

                      Virus and malware detection now really needs to be done on the endpoint client because that's where the final decryption occurs.

                      The best defense is being vigilent with applying security fixes to all the software on your endpoint devices.

                      GertjanG 1 Reply Last reply Reply Quote 1
                      • GertjanG
                        Gertjan @bmeeks
                        last edited by

                        @bmeeks said in How to block attached files, or infected with virus/malware:

                        Virus and malware detection now really needs to be done on the endpoint client because that's where the final decryption occurs.

                        That is, today, mail servers still store the mail in clear text.
                        So, when received, all mail, incoming and outgoing can be - and should be - filtered. One of the first filters should be a known spam / known antivirus filter. The last filter is typically something called "DKIM" that adds a signature to the mail, so the receiving part can check the origin and validity of a mail. Example : when you send a mail to a gmail account today, using IPv6, gmail will not accept the mail if SPF + DKIM => DMARC doesn't pass the check.

                        When the mail account user interacts with his mail box, using a mail client, the mail is passed through an SSL layer again.

                        A mail server belongs on a dedicated device (server) equipped with a 'simple' firewall, fed by a tools like fail2ban so slammers and 'rule breaking mails servers' (read : quick and dirty mail spammer servers) are recognized and blocked.

                        My advise : never ever run a mail server on pfSense. And also : no need to put pfSense in front of a mail server.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • B
                          bestinhash @JoseDiaz
                          last edited by

                          This post is deleted!
                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.