Are incoming ticket attachments scanned for viruses?

Have more questions? Submit a request

11 Comments

  • Dian Mangalapallil

    This is not helpful in preventing malicious attacks. Agents are prone to error and placing the responsibility on agents to be careful when opening attachments is not a foolproof method. Why has Zendesk not placed a simple whitelist function to allow only certain File types to be uploaded using the web form? Allowing any file types of any size to be uploaded does not seem wise especially from a reputed company such as Zendesk. Please add this functionality immediately so admins can stop end users from uploading exe msi or other suspicious application files.

    2
  • Luke Burgoyne

    I echo Dian's concerns here. I'm also curious why the Attachment Restrictions App is referenced on multiple pages as a viable solution, but it seems to no longer be available in the marketplace. I've tried installing it several times, but it always throws a generic error. It's also not searchable via the marketplace, which makes me think it's no longer available, and the page in the link above is an orphaned. I also don't see any other apps that contain the same functionality. This definitely needs to be addressed. 

    1
  • Brett - Community Manager

    Hey Luke,

    I replied your other post but I will post here as well for visibility:

    "Hi Luke,

    The Attachment Restriction app is a Zendesk Labs app which means it was not supported by the Zendesk team. You can find more information in the following article: What is Zendesk Labs.

    I was also able to track down the app located on GitHub which you can try downloading and possibly uploading as a private app: Attachment Restrictions.

    I'll also look into getting our documentation updated since the app is no longer available. Thanks for sharing that with us!"

    Thanks again!

    0
  • Dian Mangalapallil

    Brett, 

    Zendesk have not still addressed if there is any effort to allow better management of file attachments via the webform. If there is no direction here please state this and provide a way for us to remove the attachment field from the webform so we can protect ourselves from malicious attacks. 

    With the number of spam and virus attacks that goes on nowadays, it is very surprising that this CRITICAL functionality is missing in Zendesk and that there seems to be no priority given to this request. 

    4
  • Nicole - Community Manager

    Hi Dian - 

    I've asked the product manager for this area of the product to provide an answer to your question if there is one that he can share publicly. 

     

    0
  • Cornelius Cody

    This is truly disappointing. I’m evaluating ticketing programs, and for something so critical and fundamental to be ignored is astonishing. Even a captcha would be preferential to the open tunnel for spammers and hackers to abuse and put your clients at risk.

    1
  • Max McCal

    Hey, all - 

    We're continuing to investigate the best solutions to this. An early plan fell apart when confronted with reality, and we've gone back to the drawing board. I agree, it's a terrible risk to leave open, and remains one of our top security priorities.

    0
  • Steven Rothberg

    Hi @Max McCal any updates? This is a gaping security hole and something that is probably actively exploited in the wild as a means of circumventing organisations mail gateway filters. 

    2
  • Kelly Ngo

    I echo all of the comments above, I'm incredibly shocked that what seems like pretty basic functions 1) limit file types and 2) virus scanning on web forms (already available on emails) is not available. Our security team has huge concerns over the attachment function, and I'm unable to turn on. Any one have solutions of what they have done to protect themselves?

    3
  • SDS Product Team

    This has just been flagged to us as a massive security risk as well - really needs a solution soon.

    Can we not at least be iterative in the solution here?  We don't need the end solution with virus scanning straight away, but limiting the file types is simple enough as a first step.

     

     

    3
  • Nicole - Community Manager

    Hi all - 

    We've been asked to redirect this conversation to the Support Product Feedback topic. Product Managers don't consistently see the comments on articles in our knowledge base, but they do get alerts for posts in the Feedback topics in the Community. 

    0

Please sign in to leave a comment.

Powered by Zendesk