cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18406
Views
0
Helpful
13
Replies

What extensions do you block and how?

MikeK_ironport
Level 1
Level 1

I am interested in seeing what extensions everyone is blocking and how you are blocking them.

We are currently blocking:
*.vbs, *.doc.pif, *.shs, *.scr, *.dll, *.txt.exe, *.pif, *.doc.exe

We are in the process of getting business approval to block:
*.rar, *.com, *.bat, *.chm

Notice *.exe is NOT on this list. The problem is a lot of our users use self extracting ZIP files. Also, we allow anything inside a ZIP file through. So if a *.dll is in a ZIP file it will go through.

What extentions are other people blocking? Are you blocking EXE's?

Are you using Message Filters, Content Filters to block your attachments?

Are you blocking by attachment name (ie *.dll) or by fingerprint?

Also I would like to create a regex that blocks any double extension type, but am not sure if it will work. For example, *.doc.exe.

Thanks,
Mike

13 Replies 13

shannon.hagan
Level 1
Level 1

You probably want to do it in policy config and not message filters. Reason being if you notify the sender or recipient, you don't want to do it if a mass mailing virus is involved.

Virus Outbreak Filters might be a better way of handling the extensions you are referring to. The messages get quarantined (allowing for virus pattern updates) for a period of time then released to the virus checker.

Also, if you are blocking by attachments by name or type, you should do a scanconfig and tell it how many levels to go. By default, I believe it is 5 levels so if you block *.exe and it is in a zip file, the zip will get blocked by the default configuration.

I use the following filter, which redirects messages with potentially unsafe attachments to a special mailbox, where they can be retrieved if absolutely necessary.

attachment-filter: if (recv-listener == "InboundMail") AND (attachment-filename
==
"(?i)\\.(386|exe|ad|ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shb|shs|vb|vbe|vbs|vss|vst|vsw|ws|wsc|wsf|wsh)$") {
alt-rcpt-to ("attachmentfilter@mydomain.com");
deliver();
}


Mike

ian_ironport
Level 1
Level 1

We block
cer;ade;adp;bas;bat;chm;cmd;com;cpl;crt;exe;hlp;hta;inf;ins;isp;lnk;mdb;mde;msc;msi;msp;mst;pcd;reg;scr;url;sys;drv;arj;tar;

But we do it in the Exchange backend as we want to allow zipped files to contain these. From what I've tried, if I set up attachment blocking on the Ironport it won't allow zip files through with any of these file types included.

Now if Ironport had the option to "allow zip's" we'd move this attachment blocking to the Ironport and strip them out before virus scanning.

Erich_ironport
Level 1
Level 1

Did anyone notice that IronPort matches attachments when using the attachment_filename filter rule even when the attachment is inside a password protected .zip file.

I know IronPort didn't used to do this match inside password protected .zip file, does anyone know when this started?

We drop on a long list like shown above, using message filters, not content filters.

Erich

MikeK_ironport
Level 1
Level 1

The ironports will allow you to block by extension and allow that extension in a zip file. We are accomplishing this by running "scanconfig" and setting the depth to 0.

The Scanconfig command only applies to how Ironport handles filters... it has nothing to do with antivirus, so AV will still unzip your zip files to be scanned.

Also, the reason I think that ironport blocks within password protected zip files is because with version 9.0 of Winzip, you can open zip files without the password. You only need the password on extraction... so if you are matching on file pattern (ex: *.exe) it will see those patterns inside the zip and drop them.

We block 
cer;ade;adp;bas;bat;chm;cmd;com;cpl;crt;exe;hlp;hta;inf;ins;isp;lnk;mdb;mde;msc;msi;msp;mst;pcd;reg;scr;url;sys;drv;arj;tar;

But we do it in the Exchange backend as we want to allow zipped files to contain these. From what I've tried, if I set up attachment blocking on the Ironport it won't allow zip files through with any of these file types included.

Now if Ironport had the option to "allow zip's" we'd move this attachment blocking to the Ironport and strip them out before virus scanning.

Mr.X_ironport
Level 1
Level 1

We block the following:

.ade Access Project Extension (Microsoft)
.adp Access Project (Microsoft)
.app Executable Application
.asp Active Server Page
.bas BASIC Source Code
.bat Batch Processing
.cer Internet Security Certificate File
.chm Compiled HTML Help
.cmd DOS CP/M Command File, Command File for Windows NT
.com Command
.cpl Windows Control Panel Extension (Microsoft)
.crt Certificate File
.csh csh Script
.exe Executable File
.fxp FoxPro Compiled Source (Microsoft)
.hlp Windows Help File
.hta Hypertext Application
.inf Information or Setup File
.ins IIS Internet Communications Settings (Microsoft)
.isp IIS Internet Service Provider Settings (Microsoft)
.its Internet Document Set, Internation Translation
.js JavaScript Source Code
.jse JScript Encoded Script File
.ksh UNIX Shell Script
.lnk Windows Shortcut File
.mad Access Module Shortcut (Microsoft)
.maf Access (Microsoft)
.mag Access Diagram Shortcut (Microsoft)
.mam Access Macro Shortcut (Microsoft)
.maq Access Query Shortcut (Microsoft)
.mar Access Report Shortcut (Microsoft)
.mas Access Stored Procedures (Microsoft)
.mat Access Table Shortcut (Microsoft)
.mau Media Attachment Unit
.mav Access View Shortcut (Microsoft)
.maw Access Data Access Page (Microsoft)
.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdb Access Application (Microsoft), MDB Access Database (Microsoft)
.mde Access MDE Database File (Microsoft)
.mdt Access Add-in Data (Microsoft)
.mdw Access Workgroup Information (Microsoft)
.mdz Access Wizard Template (Microsoft)
.msc Microsoft Management Console Snap-in Control File (Microsoft)
.msi Windows Installer File (Microsoft)
.msp Windows Installer Patch
.mst Windows SDK Setup Transform Script
.ops Office Profile Settings File
.pcd Visual Test (Microsoft)
.pif Windows Program Information File (Microsoft)
.prf Windows System File
.prg Program File
.pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)
.reg Registration Information/Key for W95/98, Registry Data File
.scf Windows Explorer Command
.scr Windows Screen Saver
.sct Windows Script Component, Foxpro Screen (Microsoft)
.shb Windows Shortcut into a Document
.shs Shell Scrap Object File
.tmp Temporary File/Folder
.url Internet Location
.vb VBScript File or Any VisualBasic Source
.vbe VBScript Encoded Script File
.vbs VBScript Script File, Visual Basic for Applications Script
.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)
.vss Visio Stencil (Microsoft)
.vst Visio Template (Microsoft)
.vsw Visio Workspace File (Microsoft)
.ws Windows Script File
.wsc Windows Script Component
.wsf Windows Script File
.wsh Windows Script Host Settings File

shannon.hagan
Level 1
Level 1

Well, having seen Mr.X's list, I guess I should feel better about what my company blocks.

Erich_ironport
Level 1
Level 1

Like my company Mr. X gets most of his list from the defaults in Outlook 2003.

http://office.microsoft.com/en-us/assistance/HA011402971033.aspx

shannon.hagan
Level 1
Level 1

But those aren't the files I worry about as outlook theoretically won't auto open them anymore.

MikeK_ironport
Level 1
Level 1

The problem we run into is what do you do when there is a legitimate business need for one of these blocked attachments. Do you just let them through or do you filter them somehow?

KalleNorlund
Level 1
Level 1

In AsyncOS 5.5.1 its no longer possible to set depth=0 in scanconfig
How can I now allow .ZIP but drop executable filetypes?

Is there a way I could filter file type in .zip in AsyncOS 5.5.1?

Thanks.

Ronan O Connor
Level 1
Level 1

We block:
.cmd, .ade, .adp, .bas, .bat, .chm, .com, .cpl, .crt, .asf, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .wmv, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .shb, .url, .vb, .vbe, .wsc, .wsf, .wsh, .MIDI, .MPEG3, .MP3, .mpe, .mpg, .MPEG, .AIF, .VOL, .AU, .WAV, .RM, .GM, .AVI, .mp4.

Some from a security point of view some from a bandwidth point of view.