filename rules questions/suggestions

Thu Sep 25 19:57:19 IST 2003

Antony Stone wrote:
> On Thursday 25 September 2003 7:25 pm, Bob Jones wrote:
>
> My question in response, however, is: Why bother blocking "hidden" filenames
> at all, unless they're already blocked by the standard filename extension
> rules?
>
> For example:
>
> 1. A file called something.mld.doc should be allowed, because neither .mld
> nor .doc are considered dangerous.   So long as you're also doing anti-virus
> checking, you can be reasonably happy the document doesn't contain a macro
> virus.

Well, with the argument that if you're doing anti-virus checking you can
be reasonably happy is also an argument against doing any filename
checking at all.  I think the reason people (including me) do this is
for an added layer of security so that if you happen to be one of the
first places hit with a new virus not yet in your definitions, you will
probably still be safe due to blocking the bad extensions.

> 2. A file called something.doc.exe should be blocked, but I think it should
> be blocked because it ends in .exe (for which there is already a rule), not
> because it ends in .abc.xyz (if you see what I mean).

I agree, that assuming you're doing filename checking, that any file
ending in a "bad" extension such as .exe, regardless of what comes
before it, should be blocked.  I believe these types are caught by the
current rules that look like:

deny    \.exe$

> 3. A file called something.exe.doc should (in my opinion) be allowed, because
> Windows is going to interpret it as a Word document, and try to open it using
> Word.   If someone happens to have created a Word document and used .exe as
> part of the filename before the .doc extension, then it's unusual, but it's
> not a problem.   Even if the file really is an executable, then opening it in
> Word isn't going to cause any problems either - it'll just result in rubbish
> characters being shown on the screen, or an error message that Word cannot
> recognise the file format.

I don't remember the exact reason for this blocking rule, but I vaguely
recall something about how some e-mail clients (Outlook maybe?) try to
be "helpful" and drop the extension since you don't need to know what
the file extension is since the client will open it for you with the
correct tool.  Something like this, but not exactly like this.  Can
someone provide the real reason for this blocking?

> Hope this helps you to reconsider whether there's a simpler solution to your
> question?

Well, I'm aware that I could remove that rule and fix this issue.
However, this would eliminate a layer of protection that seems to be
deemed as important enough to have.  If someone can convince all of us
that layer is totally useless, why not just remove that option from the
base MailScanner distro?

Thanks for the feedback,
Bob