We have been having challenges blocking the downloading of Postal-Receipt.exe and Postal-Receipt.zip being pulled down from web-based email. The emails convince the user to click on a link similar to http://goodguy.com/wp-content/plugins/akismet/mirror.php?receipt=798_1534586700 causing the encapsulated exe to come down. The bad guys are creating new versions on a regular basis, thus AV is not picking them up. We are playing catch up all the time. We normally have some success with custom vulnerability signatures but this one has us stumped for now. Any ideas or suggestions would be helpful.
You may want to enable WildFire by configuring a forward action on a File-Blocking profile. Wildfire runs the executable in a sandbox environment and checks its behavior to see if it is malicious. If so, signatures are automatically generated within an hour with the subscription service. This also feeds into the PAN-DB URL filtering database malware category, so you may also want to block those types of web sites, too.
Also, a Continue action on executable (PE or "portable executable") file downloads can help so the user has to specifically click "Continue" to download the file. This is called drive-by-download protection. You can customize the response page to show a warning for these types of files to discourage users from clicking continue.
Both options can be combined, as well.
Here is a bit more info. We are running Wildfire (not the subscription service yet). . That is how we are being alerted to them. We are still on 4.1.x and will be going to 5.x soon. We will also start using PAN-DB. The Daily AV definations are not stopping them either. We have tried continue and forward but the continue prompt caused a lot of issues with our user base. We are having some success with exe file blocking for normal users (currently being to 10% of our user base). but we are a ways off from deploying this approach to our entire user base. 65% of our wildfire events are the result of people clicking things in email messages that should not. only 35% of them are drivebuy caused. We are working on user education but that is an effort with longer term results.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!