[unisog] Dropping executables - who does it?

Gary Flynn flynngn at jmu.edu
Mon Feb 2 23:07:14 GMT 2004



Thomas DuVally wrote:

> With the fun we are all having with viruses, we are wondering how many
> institutions are just dropping executable attachments all together. 
> It's something that I know a lot of virus/mail gateway software can do,
> but are a lot of schools doing that?
> 
> We have a policy to try and deliver as much as possible, but I think we
> are coming up against the practicality of having to protect users. 
> Anti-virus companies can create defs pretty fast, but mydoom still
> infected thousands of machines worldwide before they were available. 
> Dropping executables (exe, com, pif, scr, bat) would have been better
> insulated us, if not protected (zip).
> 
> Anyone doing that?

We've dropped stuff like .pif and .scr for years without
problems. We started dropping .exe last spring. I showed a
few people that objected that 98% of thousands of .exe messages
were malicious and that did the trick. A couple hours after
MyDoom, we started dropping .zip although I don't know how long
that is going to last. Mirapoint message filters don't allow
renaming the attachments and don't look in zip files so its
an all or nothing proposition.

By the way, we submitted an enhancement request on this issue
so if any of you Mirapoint users agree please let Mirapoint
know. Here is what I asked for under PR 23275 in the message
scanning category:

1. Currently, message filters can only  remove or pass
    attachments. This presents a hardship to users who have a
    need for high risk attachments that can't get through filters
    that protect the larger population. A nice feature would be
    to be able to tell the Mirapoint product to rename such
    attachments so that they can be passed but won't autoexecute
    if clicked. For example, tell it to rename file.zip to
    file.mirapoint or something similar.

2. Mirapoint currently allows prepending text to messages
    that have had their attachments removed by a filter.
    It would be nice to have the ability to prepend text
    for identified attachments that are not removed to alert
    the user that a high risk attachment is present while
    still allowing it to pass.

3. We currently block a lot of attachment types. However,
    zip files may contain any type of attachment. These
    internal files are not visible to Mirapoint's filtering
    system. It would be nice if Mirapoint looked inside .zip
    files for attachment types that are desired to be blocked.
    For exmaple, if a .zip file contains a .exe. That would
    allow us to pass .zip files that don't contain executables.


I hate to contribute to the demise of the Internet with
ever-increasing restrictions but, unfortunately, the bad
guys are winning and I have "security" in my title.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University




More information about the unisog mailing list