Crypto Locker getting through HAVP



  • Just as the thread title says.  We've been getting hit with the cryptolocker in email spam.  It gets caught by Microsoft Security Essentials but I installed postfix/mailscanner and HAVP to prevent viruses from passing through.

    Havent gotten any since installing postfix/mailscanner in my email, however I was running some tests for HAVP and found that its getting right through.

    I took some of the known zip's that have viruses and uploaded them to my personal webserver at home.  No prompt at all during download.

    Now I know the AV itself is working.  The ECAIR test file sets off an alert, and even today a co-worker brought in his daughter's malware infested laptop and I see an alert in there for about an hour ago that it tried to download something too.

    Any ideas?



  • Just a heads up even with postfix and mailscanner it seems its still getting through in email too.

    They both leverage clam Av so its no surprise if its getting through on one it will on the other.

    I'm very disappointed that its not able to detect such a well known virus out there.  I think I may be losing confidence in what little utm type features offense has



  • My Clearswift Mail Scanner (uses Kaspersky) and AVG Business don't catch it either.  I've had much better luck simply using snort with ET to block all RBN IPs.


  • LAYER 8 Global Moderator

    And you updated your dat files when?  You guys do know that viruses can change by the hour..  There is NO antivirus that catches everything..

    So these zips that your havp missed, for one curious how big they are and what your setting for max scan size are.  Also did you upload these zips to say totalvirus, it clamav as one of its scanners, did the other scanners show infected?



  • @johnpoz:

    And you updated your dat files when?  You guys do know that viruses can change by the hour..  There is NO antivirus that catches everything..

    So these zips that your havp missed, for one curious how big they are and what your setting for max scan size are.  Also did you upload these zips to say totalvirus, it clamav as one of its scanners, did the other scanners show infected?

    Relax dude….

    It was a brand new install of pfesne, with the newest version of havp.  Definition files were updated on the 7th.  I used .zip files from the email prior to that for testing. Max file size was set to largr than the zips I was testing.

    totalvirus.com shows that clamav detects the file as clean while over half including AVG, Avast, MBAM, Kapersky, and MSE flag it.

    So yea, I'm beginning to have my doubts of Clam being a viable solution for AV scanning.


  • LAYER 8 Global Moderator

    Relax?  What?

    Again there is not a virus scanner on the market that catches everything..  So totalvirus only half of them says its infected, so what the other half suck?

    Because camav misses this 1 varient, it just sucks and is not worth using..  Sure that sounds logical, use something else then ;)  So what you going to do when it misses a virus, change to another one.  There is nothing that catches everything..

    As to stuff getting through email - you got a bunch of monkeys working for you that would click on anything in an email attachment in the first place..  Your better antivirus solution would be to get smarter users ;)



  • @johnpoz:

    Relax?  What?

    Again there is not a virus scanner on the market that catches anything..  So totalvirus only half of them says its infected, so what the other half suck?

    Because camav misses this 1 varient, it just sucks and is not worth using..  Sure that sounds logical, use something else then ;)  So what you going to do when it misses a virus, change to another one.  There is nothing that catches everything..

    As to stuff getting through email - you got a bunch of monkeys working for you that would click on anything in an email attachment in the first place..  Your better antivirus solution would be to get smarter users ;)

    Relax because your posts have been defensive and borderline hostile pointing automatically to my config being wrong.

    Now your post is just borderss on idiocy and no logical though process either, in the same breath as you strawman what I say and call it illogical as well.

    "Again there is not a virus scanner on the market that catches anything"
    Quote me where I said any virus scanner catches everything

    "Because camav misses this 1 varient, it just sucks and is not worth using"
    Quote me where I said that

    "So totalvirus only half of them says its infected, so what the other half suck?"
    Quote me where I said it sucks

    "There is nothing that catches everything"
    Again… quote me

    "As to stuff getting through email - you got a bunch of monkeys working for you that would click on anything in an email attachment in the first place..  Your better antivirus solution would be to get smarter users ;)"
    Now you're just being outright disprespectful.

    Bottom line here is that ClamAV is missing a very well known virus when others arent.  Theres no way around it.  Make what ever apologizing excuses you want....


  • LAYER 8 Global Moderator

    borderline hostile – ok, fine.. I just wont help you then.  Have a nice life.

    Where did I point to your config being wrong - I asked you about a simple common setting in the config, if the zip is over that it wouldn't even be scanned.  And how old is your dat file.

    "Bottom line here is that ClamAV is missing a very well known virus when others aren't"

    HALF of the other scanner engines are missing was my point..  So I believe totalvirus uses like what 51 scanners - now your point might be valid if 50 of them all said hey that zip is infected, and the only one saying nope its clean was clamav...

    Or better yet clamav on it said yup its infected, but not finding it on pfsense - then there would be something to look at in pfsense havp.

    But since you feel I am too "hostile" you can wait for someone else to discuss your problem - maybe they wont be so mean and ask questions.. So clamav doesn't find it on totalvirus - how would it find it in pfsense is my point.  So if your not happy with the % of hits with clamav, use something else then ;)  Per Jason his Clearswift Mail Scanner didn't catch it either, so that might not be a good choice.



  • You claimed you werent hepling but you're still here.

    You pointed right to the filesize and if my definitions were up to date.  My config is right….

    Actually its more than half with Avast specifically pointing it out as the Cryptolocker.

    https://www.virustotal.com/en/file/7af9977a75e7c49b752108716610d84f879ca611e959a073cacda334e94fede4/analysis/1389880106/

    "You can wait for someone else to discuss your problem - maybe they wont be so mean and ask questions.. So clamav doesn't find it on totalvirus - how would it find it in pfsense..  So if your not happy with the % of hits with clamav, use something else then ;)"

    You realize this is what I've alrady said?  I made that distinction when both the mail scanner and havp were missing it.  Totalvirus.com confirmed it.  You realize that I KNOW CLAMAV IS MISSING IT?  Do you understand the words I'm typing?  Do you understand that as a result that my opinion of clamav has reduced.  Do you understand any of this?  Do you comprehend anything that you read at all?

    There really isnt much to discuss here, on the pfsense forum.  Its not a pfsense problem its a ClamAV problem.  I'll head over there.  Perhaps someone over there wont be so obtuse.


  • Moderator

    If you are using postfix, i would suggest that you use RBLs to reject suspicious mail.

    I would suggest the following ones:

    reject_non_fqdn_sender
    reject_unknown_client
    reject_unknown_hostname
    reject_unknown_sender_domain

    reject_rbl_client zen.spamhaus.org
    reject_rbl_client b.barracudacentral.org
    reject_rbl_client bl.spamcop.net

    reject_rhsbl_client dbl.spamhaus.org
    reject_rhsbl_reverse_client dbl.spamhaus.org
    reject_rhsbl_sender dbl.spamhaus.org

    Postfix can also incorporate ClamAV and Amavis.

    I would also suggest that you use pfBlocker and use the following lists - ET, Spamhaus, dShield, CI Army, Zeus/Spyeye/Palevo, iBlock at a minimum

    The above steps will block a lot of Suspicious known activity eartly on before ClamAV sees the traffic.

    You could still use ClamAV as a last step.

    Also using pfSense Snort on your WAN and LAN. There is also a product called "Security Onion" that can be installed as an IDS to get a full understanding of what is happening in your network.

    Hope it helps you


Log in to reply