Malware (Was: Re: (no subject))

Craig White craigwhite at azapple.com
Fri Sep 22 07:58:25 MST 2006


It was a reaction a long time ago to the macro viruses that used to
flourish.

For many years now, there are all sorts of tools (I heavily recommend
MailScanner) which employ things such as unrar, unzip and can inspect
files nested in several layers of packaging, and av scanners like clamav
or the commercial products which have the ability to detect things by
pattern matching so there is no need to block the typical document
formats.

One thing not touched upon are bmp and other binary formats that can
contain some run-time execution code that can pack a payload.

Also, embedded java or javascript inside of html mail can be nasty or
lead to nasty web sites.

Where does it end? I think that my clients rely upon me to ensure the
security of their networks which does entail some heavy handed
approaches and when necessary, I can relax the blocking rule sets to
accommodate some need that they define.

Craig

On Fri, 2006-09-22 at 06:44 -0700, Eric "Shubes" wrote:
> I saw one mail admin that blocked .xls and .doc extensions too. After all, 
> they can contain macros that can cause damage. :( To me, that's excessive. I 
> kind of doubt that you're blocking these extensions, Craig.
> 
> Where does it end?
> 
> Craig White wrote:
> > I've been doing this for a number of years now and I don't recall a
> > single instance when it was necessary for a user to get an attachment
> > that was of a type (exe, com, pif, bat, scr, vbs and there's some more).
> > 
> > In a world where users do what users do, they can't be trusted not to
> > blindly open things.
> > 
> > Yes, Outlook 2K3 and 2K will not allow them to open those files but you
> > can change the security settings to get around that.
> > 
> > Older versions of Outlook, etc. aren't likely to have all of the
> > safeguards in place.
> > 
> > Craig
> > 
> > On Thu, 2006-09-21 at 23:37 -0700, Kevin Brown wrote:
> >> Nothing wrong with an exe getting through.  I, on occasion, send things 
> >> to myself that are small executables (maybe its a perl script wrapped up 
> >> with par, or a self executing zip file).  Outlook, being the jacked up 
> >> program that it is, just flat out blocks them.
> >>
> >> Blindly blocking all .exe, .zip, .<xxx> attachments is just an idiotic 
> >> knee-jerk reaction.  Much like banning violent video games because a few 
> >> of the millions that play commit an act of excessive violence.
> >>
> >>> I think that if an exe attachment gets through an e-mail system to the
> >>> end user, the battle is already lost. Whether they opened it or not is
> >>> sort of immaterial. Users will do whatever users do.
> >>>> One of my clients got an email to them from them and it had an .exe 
> >>>> attachment.  Fortunately, they called me before opening it.  Same deal, 
> >>>> though.
> >> ---------------------------------------------------
> 
> 



More information about the PLUG-discuss mailing list