[unisog] Dropping executables - who does it?

Eric Rostetter eric.rostetter at physics.utexas.edu
Tue Feb 3 14:26:49 GMT 2004

Quoting Thomas DuVally <tduvally at brown.edu>:

> With the fun we are all having with viruses, we are wondering how many
> institutions are just dropping executable attachments all together.

The University of Texas at Austin drops nothing.  Academic Freedom and
all that.  Several departments run their own mail services and may drop
them, but the University doesn't.

In the Physic's department, we don't drop anything.  But things we consider
unlikely to be valid (.pif, .lnk, etc) we "defang" by renaming them to
some unexecutable name and changing the mime type so they can't execute.
We also put in a message about how dangerous it might be to run it, etc.
We deliver them, just renamed/retyped, and with a warning message.
If the user goes through the trouble to save it and rename it and then
run it,  then they deserve to get anything that happens to them. ;)

> It's something that I know a lot of virus/mail gateway software can do,
> but are a lot of schools doing that?

Don't know.  But I'd sure rather see them defang them then to drop them.
Or at least to quarantine them with a retrieval process the user can use.
Dropping mail is bad, and *will* interfer with work flow.

> We have a policy to try and deliver as much as possible, but I think we
> are coming up against the practicality of having to protect users.

Look at other ways to protect them such as defanging mail, quarantining
mail, etc.

> Anti-virus companies can create defs pretty fast, but mydoom still
> infected thousands of machines worldwide before they were available.
> Dropping executables (exe, com, pif, scr, bat) would have been better
> insulated us, if not protected (zip).

Yes, but at what price (blocking zip files).  And what about the next
virus that uses .sit/.tar/.rar/arj/etc instead of .zip?  Or uses .dll
or .hlp or .chm or .java or .reg or .cil or, well, you get the idea.

This blocking of attachment types is usually a reactive, not proactive,
and while 90% of what it blocks may be malware, what about that 10% of
legit traffic it blocks?

> Anyone doing that?

No me.

> --
> Thomas J. DuVally
> Lead Systems Prog.
> CIS, Brown Univ.
> GPG fingerprint = FB59 8265 0865 0CB8 94B5 FC26 F573 F09C 15F2 33F6

Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!

More information about the unisog mailing list