[unisog] Dropping executables - who does it?

Richard Gadsden gadsden at musc.edu
Tue Feb 3 14:20:14 GMT 2004

On Mon, 2 Feb 2004, Thomas DuVally wrote:

> With the fun we are all having with viruses, we are wondering how many
> institutions are just dropping executable attachments all together. 
> It's something that I know a lot of virus/mail gateway software can do,
> but are a lot of schools doing that?
> We have a policy to try and deliver as much as possible, but I think we
> are coming up against the practicality of having to protect users. 
> Anti-virus companies can create defs pretty fast, but mydoom still
> infected thousands of machines worldwide before they were available. 
> Dropping executables (exe, com, pif, scr, bat) would have been better
> insulated us, if not protected (zip).
> Anyone doing that?

We don't drop executable attachments, but we do cripple them by renaming
them and changing their mime types. For example, any "clickme.exe"
attachment is renamed to "clickme_exe.xyz" and its mime type is changed to
"application/unknown". If the recipient clicks on one of these renamed
attachments, nothing happens. 

We use RenAttach (http://www.pc-tools.net/unix/renattach/) to accomplish
this. Highly recommended. Note that renaming instead of dropping still
allows the recipient to recover and use the attachment if it is something
that he really did want/need.[1]

We also use MailScanner and our licensed commercial AV product to scan all
incoming and outgoing mail for known malware, but RenAttach is invaluable
as a second line of defense, for precisely the reason you've given: it
addresses the window of vulnerability that exists before the detection
signature for an emerging threat arrives from our AV supplier.

 --- o ---
 Richard Gadsden
 Director of Computer and Network Security
 Medical University of South Carolina

[1] Or if he's just incredibly clueless and persistent enough to save,
rename, and then execute a malicious attachment. Although this is a real
risk, we haven't seen it happen, and for us at least, the benefits of
allowing users to continue to exchange 'legitimate' executable attachments
are perceived to outweigh this residual risk.

More information about the unisog mailing list