Re: 543.rar attachment

From: Jonathan Loh (kj6loh_at_yahoo.com)
Date: 03/14/05

Next message: adisegna_at_siscocorp.com: "RE: 543.rar attachment"

Previous message: dave kleiman: "RE: Security Certifications"
Next in thread: adisegna_at_siscocorp.com: "RE: 543.rar attachment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 14 Mar 2005 14:21:31 -0800 (PST)
To: Kinnell <kinnell.t@gmail.com>, security-basics@securityfocus.com

Ok that's a solution. But what I want to ask you is this. How much overhead
does it take to do this? Blocking archive files would be an easier method with
little overhead. Possibly with a reply to sender that your site does not
accept archive files.
--- Kinnell <kinnell.t@gmail.com> wrote:
> On the network I'm a member of we block all exe files sent inside the
> rar or zip, so even if it is sent the file will be 0byted. Wouldn't
> that be a better method? otherwise if you block all bz2, zip, rar,
> etc... then you will block a lot of useful communication
>
> -Kinnell
>
> On Fri, 11 Mar 2005 16:49:16 -0500, adisegna@siscocorp.com
> <adisegna@siscocorp.com> wrote:
> > Sean, I have to disagree with you. Any file that that can encapsulate an
> > executable file should be blocked (IMO). ZIP files are one of the
> > biggest carriers of malicious content these days. I don't make it a
> > habbit of trusting my users no matter how many times they get trained.
> > RAR extraction tools are not part of the software image policy on my
> > network so users are oblivious to the file blocking. What is your
> > solution?
> >
> > Thanks
> >
> > AD
> > Information Technology Group
> > Security Identification Systems Corporation
> >
> > -----Original Message-----
> > From: Sean Crawford [mailto:sean01@accnet.com.au]
> > Sent: Tuesday, March 08, 2005 9:39 PM
> > To: security-basics@securityfocus.com
> > Subject: RE: 543.rar attachment
> >
> > ---> -----Original Message-----
> > ---> From: adisegna@siscocorp.com [mailto:adisegna@siscocorp.com]
> >
> > ---> Subject: RE: 543.rar attachment
> >
> > ---> I just recently got the same executable inside .rar. I extracted
> > the
> > ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't find
> > ---> anything (as of 4 days ago). I wasn't about to double click this
> > exe on
> > ---> my corporate network. Block the rar extension on your mail server.
> > --->
> >
> > rar is a valid compression format...blocking it isn't a very good
> > solution.
> >
> > 2 cents.
> >
> > Sean
> >
> >
>

__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

Next message: adisegna_at_siscocorp.com: "RE: 543.rar attachment"

Previous message: dave kleiman: "RE: Security Certifications"
Next in thread: adisegna_at_siscocorp.com: "RE: 543.rar attachment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]