[unisog] Dropping executables - who does it?

Jethro R Binks jethro.binks at strath.ac.uk
Mon Feb 2 22:59:38 GMT 2004

On Mon, 2 Feb 2004, Thomas DuVally wrote:

> With the fun we are all having with viruses, we are wondering how many
> institutions are just dropping executable attachments all together.
> It's something that I know a lot of virus/mail gateway software can do,
> but are a lot of schools doing that?

For over a year now in practice, we have disallowed incoming MS
executables through filename extension blocking in our A/V/etc scanning
framework;  since the outbreaks late summer last we have rejected them
outright on being presented to our mail server at the SMTP DATA stage - in
this case they are detected from file content, not filename extension.

> We have a policy to try and deliver as much as possible, but I think we
> are coming up against the practicality of having to protect users.
> Anti-virus companies can create defs pretty fast, but mydoom still
> infected thousands of machines worldwide before they were available.
> Dropping executables (exe, com, pif, scr, bat) would have been better
> insulated us, if not protected (zip).

I think the worms of last year really nailed this for us.  Our A/V stuff
was going into overdrive scanning these things, only to find that way way
more than 99.9% of them were viruses.  It just wasn't worth it.

We will accept zips - but the contents of the zips are also scanned for
viruses (executables within zips would be allowed).  If someone really
really wants to send something that is likely to get virus-detected, then
we say to them to send it in a password-protected zip file.

Well we would say that, if ever they asked.  No-one has actually
complained about not being able to send Windows executables; I think those
who might be doing such a thing probably understand why we do it, and
accept that.  Now of course the next escalation could be that a virus is
mailed around in a password protected zipped attachment, and the message
body says "Open the zip file with the password 'cool tracks'".  If people
are clever enough to know how to do that, and then execute the attachment
they extract from the zip, and yet dumb enough to trust the email won't be
malicious having done so, then there probably is no hope whatsoever...

When Mydoom broke, we blocked most of it through the Windows executable
block.  The ones that got through were the ones in zip attachments, which
our A/V scanner caught once we got the updates (we check for A/V updates
hourly).  It's a hostile world out there, and it is unfortunate that we
have to take these measures; but in our case, it appears no-one here is
unduly inconvenienced.

One disadvantage to our method is that by blocking executables before
further analysis, you don't get to know what virus it was that you
blocked, or even for sure that it was a virus.  So no pretty graphs for
the management :).


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

More information about the unisog mailing list