[unisog] Dropping executables - who does it?
flynngn at jmu.edu
Mon Feb 2 23:07:14 GMT 2004
Thomas DuVally wrote:
> With the fun we are all having with viruses, we are wondering how many
> institutions are just dropping executable attachments all together.
> It's something that I know a lot of virus/mail gateway software can do,
> but are a lot of schools doing that?
> We have a policy to try and deliver as much as possible, but I think we
> are coming up against the practicality of having to protect users.
> Anti-virus companies can create defs pretty fast, but mydoom still
> infected thousands of machines worldwide before they were available.
> Dropping executables (exe, com, pif, scr, bat) would have been better
> insulated us, if not protected (zip).
> Anyone doing that?
We've dropped stuff like .pif and .scr for years without
problems. We started dropping .exe last spring. I showed a
few people that objected that 98% of thousands of .exe messages
were malicious and that did the trick. A couple hours after
MyDoom, we started dropping .zip although I don't know how long
that is going to last. Mirapoint message filters don't allow
renaming the attachments and don't look in zip files so its
an all or nothing proposition.
By the way, we submitted an enhancement request on this issue
so if any of you Mirapoint users agree please let Mirapoint
know. Here is what I asked for under PR 23275 in the message
1. Currently, message filters can only remove or pass
attachments. This presents a hardship to users who have a
need for high risk attachments that can't get through filters
that protect the larger population. A nice feature would be
to be able to tell the Mirapoint product to rename such
attachments so that they can be passed but won't autoexecute
if clicked. For example, tell it to rename file.zip to
file.mirapoint or something similar.
2. Mirapoint currently allows prepending text to messages
that have had their attachments removed by a filter.
It would be nice to have the ability to prepend text
for identified attachments that are not removed to alert
the user that a high risk attachment is present while
still allowing it to pass.
3. We currently block a lot of attachment types. However,
zip files may contain any type of attachment. These
internal files are not visible to Mirapoint's filtering
system. It would be nice if Mirapoint looked inside .zip
files for attachment types that are desired to be blocked.
For exmaple, if a .zip file contains a .exe. That would
allow us to pass .zip files that don't contain executables.
I hate to contribute to the demise of the Internet with
ever-increasing restrictions but, unfortunately, the bad
guys are winning and I have "security" in my title.
Security Engineer - Technical Services
James Madison University
More information about the unisog