Re: 543.rar attachment

From: Jonathan Loh (kj6loh_at_yahoo.com)
Date: 03/15/05

  • Next message: Karan Saberwal: "Re: Security Certifications" 
    Date: Mon, 14 Mar 2005 22:41:44 -0800 (PST)
To: David J ONEILL <David.J.Oneill@state.or.us>, kinnell.t@gmail.com, security-basics@securityfocus.com

    Ok let's have a reality check.
    Blocking archive files is easy by just writing a simple filter looking for
    various extensions. Pruning executable files means you will have to use that
    same filter, open the archive, either extract the whole thing, delete the
    executables, and repackage the whole thing, or delete the executables in place.
     
    Everyone can split large application files, or can be taught how, and send them
    to be repackaged. Ever wonder how TCP and UDP work?

    --- David J ONEILL <David.J.Oneill@state.or.us> wrote:
    > Gee, why not just block ALL email communication. That would save you
    > some work too.
    >
    > Archive files are a necessary part of communication and very beneficial
    > in saving bandwidth.
    >
    > Let's have a reality check ....
    >
    > David J O'Neill
    > Senior Systems Analyst
    > State of Oregon
    > Department of Human Services
    > Office of Information Services
    > PH# 503.378.2101 ext. 280
    > email david.j.oneill@state.or.us
    >
    > >>> Jonathan Loh <kj6loh@yahoo.com> 03/14/05 02:21PM >>>
    > Ok that's a solution. But what I want to ask you is this. How much
    > overhead
    > does it take to do this? Blocking archive files would be an easier
    > method with
    > little overhead. Possibly with a reply to sender that your site does
    > not
    > accept archive files.
    > --- Kinnell <kinnell.t@gmail.com> wrote:
    > > On the network I'm a member of we block all exe files sent inside
    > the
    > > rar or zip, so even if it is sent the file will be 0byted. Wouldn't
    > > that be a better method? otherwise if you block all bz2, zip, rar,
    > > etc... then you will block a lot of useful communication
    > >
    > > -Kinnell
    > >
    > > On Fri, 11 Mar 2005 16:49:16 -0500, adisegna@siscocorp.com
    > > <adisegna@siscocorp.com> wrote:
    > > > Sean, I have to disagree with you. Any file that that can
    > encapsulate an
    > > > executable file should be blocked (IMO). ZIP files are one of the
    > > > biggest carriers of malicious content these days. I don't make it
    > a
    > > > habbit of trusting my users no matter how many times they get
    > trained.
    > > > RAR extraction tools are not part of the software image policy on
    > my
    > > > network so users are oblivious to the file blocking. What is your
    > > > solution?
    > > >
    > > > Thanks
    > > >
    > > > AD
    > > > Information Technology Group
    > > > Security Identification Systems Corporation
    > > >
    > > > -----Original Message-----
    > > > From: Sean Crawford [mailto:sean01@accnet.com.au]
    > > > Sent: Tuesday, March 08, 2005 9:39 PM
    > > > To: security-basics@securityfocus.com
    > > > Subject: RE: 543.rar attachment
    > > >
    > > > ---> -----Original Message-----
    > > > ---> From: adisegna@siscocorp.com [mailto:adisegna@siscocorp.com]
    > > >
    > > > ---> Subject: RE: 543.rar attachment
    > > >
    > > > ---> I just recently got the same executable inside .rar. I
    > extracted
    > > > the
    > > > ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't
    > find
    > > > ---> anything (as of 4 days ago). I wasn't about to double click
    > this
    > > > exe on
    > > > ---> my corporate network. Block the rar extension on your mail
    > server.
    > > > --->
    > > >
    > > > rar is a valid compression format...blocking it isn't a very good
    > > > solution.
    > > >
    > > > 2 cents.
    > > >
    > > > Sean
    > > >
    > > >
    > >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Small Business - Try our new resources site!
    > http://smallbusiness.yahoo.com/resources/
    >

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

  • Next message: Karan Saberwal: "Re: Security Certifications"

    Relevant Pages

    • Re: 543.rar attachment
      ... > Department of Human Services ... > Blocking archive files is easy by just writing a simple filter ... > executables, and repackage the whole thing, or delete the ... >> Do you Yahoo!? ...
      (Security-Basics)
    • Re: 543.rar attachment
      ... All executables are not evil. ... All computer users are not evil. ... > Blocking archive files is easy by just writing a simple filter looking ... >> Do you Yahoo!? ...
      (Security-Basics)
    • Re: 543.rar attachment
      ... However we are not looking to ban people from using e-mail ... > executables, and repackage the whole thing, or delete the executables in place. ... >> Archive files are a necessary part of communication and very beneficial ... >> Do you Yahoo!? ...
      (Security-Basics)
    • Re: 543.rar attachment
      ... Blocking archive files is easy by just writing a simple filter looking ... executables, and repackage the whole thing, or delete the executables ... > Department of Human Services ... > Do you Yahoo!? ...
      (Security-Basics)