Re: FYI: Are you still looking for an excuse to block executable attachments?

From: Brian Bergin (ntbugtraq.nospam.1_at_TERABYTE.NET)
Date: 01/27/04

Next message: Tim Johnson: "Re: Are you still looking for an excuse to block executable attachments?"

Previous message: Nick FitzGerald: "Re: FYI: Are you still looking for an excuse to block executable attachments?"
In reply to: Russ: "FYI: Are you still looking for an excuse to block executable attachments?"
Next in thread: Ames, Neil: "Re: FYI: Are you still looking for an excuse to block executable attachments?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 27 Jan 2004 09:55:57 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

At 23:47 26 01 04 Monday, you wrote:
>Better still, unzip it (Winzip have an API you know) and then scan the
>contents for attachment types you're blocking...IOWs, just because its
>zipped doesn't mean you accept such attachment types from Internet
>sources. Too bad AV products are too dumb to do this, no wonder some
>malcode writers have chosen to deliver the same old executable inside a
>zip, they realize it'll get farther than plain attachments (but then
>again, there was bagle last week.)

Actually, Symantec's Antivirus for SMTP Gateways 3.x does exactly what
you're suggesting here. If I tell it to ban say .xyz files it will search
inside compressed archives like .zip files and remove those files no matter
their content. The cute thing about this product is if the banned file
extension was the only file in the .zip file it will send on a 0 byte file
to the recipient, but hey, it removed it.

NOTE: Please reply to the list so others may benefit from your
thoughts. If you're concerned it may not make it to the list, please cc:
me on the reply.

Sincerely,
Terabyte Computers, Inc.

Brian S. Bergin
President

http://www.terabyte.net

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

Next message: Tim Johnson: "Re: Are you still looking for an excuse to block executable attachments?"

Previous message: Nick FitzGerald: "Re: FYI: Are you still looking for an excuse to block executable attachments?"
In reply to: Russ: "FYI: Are you still looking for an excuse to block executable attachments?"
Next in thread: Ames, Neil: "Re: FYI: Are you still looking for an excuse to block executable attachments?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]