Re: FYI: Are you still looking for an excuse to block executable attachments?
From: Jeffrey Altman (jaltman_at_COLUMBIA.EDU)
Date: Tue, 27 Jan 2004 09:21:20 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Nick FitzGerald wrote:
>That is not the problem. Most AVs (at least, the half-decent ones that
>have dedicated gateway scanner versions) will recursively scan archives
>(to a reasonable depth) and can be set to quarantine anything that
>fails (because it is too deeply packed, "apparently corrupt" and so
>on). The trouble is the admins who have decided that, to appease the
>aforementioned belly-aching, mainly wannabe "power user" crowd, they
>should let .ZIP files pass without scanning or at least let them pass
>so long as they do not contain any known malware. This is the gateway
>scanner equivalent of "opening a hole in your firewall" and tends to
>result in much the same effect when some malcontent finds a way to
>exploit that hole...
>Further, the exploitability of the common ".ZIP hole" in Email gateway
>scanner _implementations_ has been made much easier with the increasing
>inclusion of ZIP (and other) archive handlers in a standard desktop
>configurations, exemplified in XP's inclusion of native .ZIP handling.
What I have seen is that sites that do strip out .ZIP attachments leave
them attached if they are password protected. What we then end up with
are e-mails which contain a password protected zip file with the password
embedded in the e-mail.
You know what? The clueless users are going to open that file too.
In fact, the clueless user is going to do whatever s/he needs to do to
be able to open up the file. It does not matter whether the file is
provided in the e-mail or via a link to an ftp or http site.
The fundamental issue is that we need to provide to end users a safe
but easy to use authenticated mechanism for file exchange. Until we
can do that user's are going to rely on anonymous mechanisms which
will open the door for worm authors or scam artists to take advantage
to take advantage of them.
>>Here's another thought, give Zimmerman his due and don't accept anything
>>that isn't PGP encrypted, first to a common key for your mail server
>>app, then to the recipient!! Wow, what a concept.
>Problematic if you must receive "unbidden" stuff, and odd as it may
>seem, there are many such places out there. Further, the widespread
>lack of suitable code installations makes it an unappealing choice
>(showing just why the aforementioned belly-aching, mainly wannabe
>"power user" crowd isn't...).
PGP is not supported by the majority of mail clients. Those that do support
a form of authenticated e-mail use S/MIME. Unfortunately, the vast majority
of mail filters do not recognize S/MIME attachments and treat them as
potential virii/worms. And reject the e-mails. Even the NTBugtraq list
not accept e-mail signed with S/MIME.
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.