We are receiving the same emails,which last 28/11/14, infected our system with cryptoloker. These links come from different domains but have in common the following url
http://xxxxxxxx.xx/Billing/invoice.zip. How could we avoid that if someone clicks the link, not end infecting our systems?
Do You have av/threat/WildFire protection applied on security rules that passing traffic to internet?
Have You latest updates applied? Cryptolocker is well known malware (but it's still changing its code). Did You create a support case for this false positive?
In my opinion You have to create data filtering if the filename is always "invoice.zip" I try to find examples in archiwum but I didn't find any examples how to get it.
I hope that someone give You examples.
we have only URL filtering license. We have updated the virus/threats signatures. We have thought add in block list (URL filtering profile) this line */invoce.zip
it would work?
Did You read:
Please follow this documents carefully, Cryptolocker isnt a "simple" malware, so without additional licences I think that i will be hard to detect and stop them
Are you using a spam filter? May be blocking the incoming emails filtering by attachment or content may be a quicker solution.
Or create a data filtering profile for file type .zip, direction = download, with regex to match invoice.zip, and then apply it to your security policies. Note: I haven't tested this.
The problem is the mail sender and the name of attached file within changes, this happened several weeks ago and I created a rule tu deny the source, but now the source is different and also the file name.
So data-filtering to deny incoming zip files with the regex "invoice.zip" won't be usefull in the future, and redirect the web page to a honeypot or sinkhole has the same problem, it changes in time.
I read the post from Slawek and could be usefull. I will kept you inform.
Two more docs:
I hope that will be helpfull for You
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!