Opinion question about security viruses and HTML attachments

Question

In the last couple of weeks my company has been inundated by a group of viruses including an .html attachment. Some of these were subjected UPS shipment, some Western Union. All of them asking the user to click on the .html attachment. Mind you, none of these were caught by any of the security software on my network. Mostly Trend Micro products, OfficeScan and Scanmail.

I try to drill some Internet common sense into my people. The old, if it's to good to be true, if you're not expecting it, etc., but still I have a few that just forget. After reinstalling three machines I realized that this was more of a problem than I thought. My first reaction was to block all .html attachments at our Trend Scanmail server. This seemed to work great. No more virus attacks.

Here's my problem. Our accountant/office manager came to me today and said that I needed to allow .html files. It seems that all of her online accounting services communicate by .html attachment. She says she has been losing communications because Scanmail is removing all of her attachments.

In my opinion, a real online service should not be communicating with its clients via an .html attachment in an email. Does anyone else agree? Are these attachments considered safe, or do they belong in the mix with .exe and .bat? How do other people deal with this issue? Should we be contacting these services asking them to change their policy? The only other option I have given my current setup is allowing .html files through again to all my e-mail users.

Is Trend Micro losing its touch? Should I be looking for new security software? I switched to Trend Micro because they were rated pretty good at the time and I didn't want to use Symantec or McAfee (bad taste in my mouth, long story). What should I do?

Answer 1

A couple of things:

1. The html is not in and of itself malware, therefore your AV software is not going to detect anything. The act of clicking the link initiates a download of some sort which contains the malware or the link directs the browser to a rogue website, which is then used as the injection point for the malware payload.

2. It's not really UPS, Fedex, Western Union, the IRS or any other entity that's sending these emails so contacting one of these entities and asking them to stop sending these emails is likely to only garner snickers and guffaws at your expense.

3. If you have a sufficient real time AV scanning component on each client workstation, then if a user clicks one of the links the real time AV component should block the malware. If it's not, I would look into why it's not.

4. When a user recieves an email from UPS, etc. suggesting that the user click a link to collect their tracking, shippping, etc. information the user should ask themselves "Did I ship something via UPS?" or "Am I expecting a package from Fedex?", etc. If the answer is no, then delete the email. Technlology can't fix a lack of common sense. Some serious end user education is in order here.

Answer 2

Our company also blocks .html attachments at the border. We also figured that there wasn't a huge need for those sorts of attachments. Then Dell sent us a price quote as, you guessed it, an html attachment. I suppose it's slightly more standardized than a PDF file? Either way, we wound up whitelisting HTML attachments from just that domain. I take it that's not an option for you?

I can't say too much about Trend Micro's performance. One thing you might try, is submitting those sorts of files to someplace like this, which will see what other AV vendors recognize it as a threat. That might tell you if there's a better company for you.

One thing that our company has done that seems to be quite successful is blocking executable downloads at the firewall. Essentially, any HTTP traffic carrying a Windows executable gets blocked. We have a whitelist of users who are allowed to download them if they really need to, but otherwise it can block a surprising amount of malware from getting through.

Answer 3

none of these were caught by any of the security software on my network. Mostly Trend Micro products, OfficeScan and Scanmail

I can recommend ClamAV (free, cross-platform) as a very effective phishing blocker. I've seen some reports which suggest it's not as good as some of the commercial scanners at Anti-Virus - but it's easy to maintain your database - and/or use SpamAssassin on your MTA - again it's easy to update the rules and the Bayesian database.

And of course since the only cost is some hardware to run it on, then it will happily sit inline with your current provision.

Answer 4

Also, not sure how feasible this suggestion is to your network architecture, but OpenDNS is good at blocking phishing/malware sites - I use it at home and it seems to be good at what it does.

Answer 5

Consider an external Capture-And-Release style message filtering service.

Symantec offer this in the form of Messagelabs

Google offer this in the form of Postini

These will be more effective at controlling spam at the edge of your network, while still allowing users to manage their caught spam and release messages if necessary.

Disclaimer: There are probably lots more companies offering similar services, so shop around to find the best fit for you. I'm just most familiar with the 2 above.