Overview
The MailEssentials Trojan and Executable Scanner analyzes and determines the function of executable files attached to emails. This scanner can subsequently quarantine any executables that perform suspicious activities (such as Trojans).
This article looks at the Trojan & Executable Scanner in more detail and provides a step by step process on how to configure it.
Introduction
The Trojan & Executable Scanner rates the risk-level of an executable file by decompiling the executable, and detecting in real-time what the executable might do. Subsequently, it compares the capabilities of the executable to a database of malicious actions and rates the risk level of the file.
With the Trojan & Executable scanner, you can detect and block potentially dangerous, unknown or one-off Trojans before they compromise your network.
The next section looks at how the Trojan & Executable Scanner works and the process to configure it from the MailEssentials Configuration UI.
Description
How does the Trojan & Executable Scanner work?
The Trojan and Executable Scanner (its internal name is SED – Secure Executable Detector) will check Win32 executables that are scanned by MailSecurity and will determine if they make use of APIs that are normally used by malicious executables (e.g. Trojan Horses and Viruses).
This is done by performing reverse engineering on the Win32 applications, which will reveal the APIs and function calls used by the application. The list of APIs and function calls that are checked for by the Trojan and Executable scanner is provided in the table below.
Win32 API check |
Rank |
Description |
CheckASPack |
4000 |
ASPack is a win32 executable packer. It can be used to pack files to as much as 70% of the file’s original size. These type of packers are often used to compress viruses and Trojans, which will change the binary pattern of the virus, and will make them unrecognizable by virus scanning engines till the virus scanning engines update their virus definition files to recognize the packed virus. |
CheckCachedPassword |
4000 |
APIs that are used to retrieved cached passwords stored in the system are normally only used by malicious applications |
CheckNeolite |
4000 |
Neolite is another win32 executable packer. These types of packers are often used to compress viruses and Trojans. |
CheckPECompact |
4000 |
PECompact is another win32 executable packer. These types of packers are often used to compress viruses and Trojans. |
CheckPEPack |
4000 |
PEPack is another win32 executable packer. These types of packers are often used to compress viruses and Trojans |
CheckPEtite |
4000 |
PEtite is another win32 executable packer. These types of packers are often used to compress viruses and Trojans |
CheckUIN |
4000 |
Check if the executable tries to access the ICQ UIN database |
CheckUPX |
4000 |
UPX is another win32 executable packer. These type of packers are often used to compress viruses and Trojans. |
CheckWWPack32 |
4000 |
WWPack32 is another win32 executable packer. These type of packers are often used to compress viruses and Trojans. |
CheckFTP |
3000 |
Checks if the executable tries to make use of the FTP protocol |
CheckICQ |
3000 |
Checks if the exe tries to make use of the ICQ protocol |
CheckIRC |
3000 |
Checks if the exe tries to make use of the IRC protocol |
CheckLanman |
3000 |
Checks if the exe tries to access the network connection properties |
CheckLocalGroups |
3000 |
Checks if the exe tries to add or modify users or groups in the system |
CheckRAS |
3000 |
Checks if the exe makes use of Remote Access Services (RAS) |
CheckRegisterServiceProcess |
3000 |
Checks if the exe tries to hide itself from the Windows Task Manager (on Windows 9x) |
CheckSMTP |
3000 |
Checks if the exe tries to make use of the SMTP protocol |
CheckUIChange |
2000 |
Checks if the exe tries to change the keyboard, mouse or display settings |
CheckUIChange2 |
2000 |
Checks if the exe tries to change the keyboard, mouse or display settings |
CheckUIChange3 |
2000 |
Checks if the exe tries to change the keyboard, mouse or display settings |
CheckVBDelphiNetwork |
2000 |
Checks if the exe was written in Delphi or Visual Basic and tries to make use of Internet connections |
CheckExePacker |
1100 |
Checks if the Exe is compressed |
CheckForFlash |
1100 |
Checks if the exe contains Macromedia Flash animations |
CheckKBHooks |
1000 |
Checks if the exe tries to perform keyboard logging or similar functions |
CheckNetwork |
1000 |
Checks if the exe tries to create Internet or Network connections |
CheckDialup |
800 |
Checks if the exe tries to make use of Dialup |
CheckAutorun |
500 |
Checks if the exe tries to add itself to the windows autorun |
CheckWininet |
500 |
Checks if the exe tries to make network |
CheckExitWindows |
400 |
Checks if the exe tries to reboot or shutdown the system |
CheckMPR |
400 |
Checks if the exe tries to access dialup properties like password and connection parameters |
CheckINI |
300 |
Checks if the exe tries to access critical .ini files like windows.ini etc |
CheckDisk |
200 |
Checks if the exe tries to write to disk |
CheckProcessAccess |
200 |
Checks if the exe checks what other processes are running on the system |
CheckRegistry |
200 |
Checks if the exe tries to write to the Windows registry |
CheckDisk2 |
100 |
Checks if the exe tries to write to disk |
As noted in the table above, each API check has a rank. The user can configure the Security level for the Trojan and Executable Scanner to High, Medium or Low. This will configure the maximum rank that can be reached when scanning a file. The following is the maximum rank for each level that can be configured:
- Low Security: 2000
- Medium Security: 500
- High Security: 100
When scanning an exe, the Trojan and Executable Scanner will add the ranks for the APIs found in the executable and if the maximum is reached, the file is blocked. For instance, if the Trojan and Executable Scanner is configured to ‘High Security’, nearly all executable (exe) files will be blocked, since most of them write to both disk and registry.
The Trojan and Executable Scanner has its own database which stores all the information regarding the checks that are done. This is stored at: ..\GFI\MailEssentials\EmailSecurity\Engines\sed\default.sdb
The Trojan and Executable scanner database is encrypted and can be updated from the GFI site in the same way the virus definition files are updated. However, updates to this database are less frequent.
Configuring the Trojan & Executable Scanner
- Go to Email Security > Trojan & Executable Scanner.
- Under the General tab, Select Enable Trojan & Executable Scanner to activate this filter.
- In Email checking section, specify the emails to check for Trojans and other malicious executables by selecting:
Option | Description |
---|---|
Scan Inbound SMTP Email | Scan incoming emails for Trojans and malicious executable files. |
Scan Outbound SMTP Email | Scan outgoing emails for Trojans and malicious executable files. |
- From the Security settings area, choose the required level of security:
Security Level | Description |
---|---|
High Security | Blocks all executables that contain any known malicious signatures |
Medium Security | Blocks suspicious executables. Emails are blocked if an executable contains one high-risk signature or a combination of high-risk and low-risk signatures. |
Low Security | Blocks only malicious executables. Emails are blocked if an executable contains at least one high-risk signature. |
- From the Actions tab, configure the actions you want GFI MailEssentials to take on emails containing a malicious executable.
- Note: Emails blocked by the Trojan & Executable Scanner are always quarantined.
- To send email notifications whenever an email gets blocked, check any of the following options:
Option | Description |
---|---|
Notify administrator |
To notify the administrator whenever this engine blocks an email. |
Notify local user | To notify the local recipients about the blocked email. |
- To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored at:
..\GFI\MailEssentials\EmailSecurity\Logs\trojan.log
- In the Updates tab, check Automatically check for updates to enable automatic updating for the selected engine.
- From the Downloading option list, select one of the following options:
Option | Description |
---|---|
Only check for updates | Select this option if you want MailEssentials to just check for and notify the administrator when updates are available for this engine. This option does NOT download the available updates automatically. |
Check for updates and download | Select this option if you want MailEssentials to check for and automatically download any updates available for this engine. |
- Specify how often you want MailEssentials to check and download updates for this engine, by specifying an interval value in hours.
- From Update options area, check Enable email notifications upon successful updates to send an email notification to the administrator whenever the engine updates successfully.
- Note: An email notification is always sent when an update fails.
- To force the most recent updates, click on the Download updates button. This will trigger the update process manually. It is an incremental update where only the most recent definitions are updated.
- Click Apply.