filename rules questions/suggestions

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Thu Sep 25 20:08:34 IST 2003


On Thursday 25 September 2003 7:57 pm, Bob Jones wrote:

> Antony Stone wrote:
>
> > 1. A file called something.mld.doc should be allowed, because neither
> > .mld nor .doc are considered dangerous.   So long as you're also doing
> > anti-virus checking, you can be reasonably happy the document doesn't
> > contain a macro virus.
>
> Well, with the argument that if you're doing anti-virus checking you can
> be reasonably happy is also an argument against doing any filename
> checking at all.  I think the reason people (including me) do this is
> for an added layer of security so that if you happen to be one of the
> first places hit with a new virus not yet in your definitions, you will
> probably still be safe due to blocking the bad extensions.

Yes, this is a good (and quite a strong) argument.   Until my anti-virus
scanner gets updated with the latest signatures, I am very happy for
MailScanner to block the new virus because it's in a .pif attachment, for
example.   I think I worded what I wanted to say poorly.   I should have put
another 'also' in the second sentence: "So long as you're also doing
anti-virus checking, you can also be reasonably happy the document doesn't
contain a macro virus."

Essentially what I was trying to say is "if you allow something.doc, then you
should allow something.mld.doc".

> > 2. A file called something.doc.exe should be blocked, but I think it
> > should be blocked because it ends in .exe (for which there is already a
> > rule), not because it ends in .abc.xyz (if you see what I mean).
>
> I agree, that assuming you're doing filename checking, that any file
> ending in a "bad" extension such as .exe, regardless of what comes
> before it, should be blocked.  I believe these types are caught by the
> current rules that look like:
>
> deny    \.exe$

Correct.   Those are the rules which I believe are doing the useful work here.

> > 3. A file called something.exe.doc should (in my opinion) be allowed,
> > because Windows is going to interpret it as a Word document, and try to
> > open it using Word.   If someone happens to have created a Word document
> > and used .exe as part of the filename before the .doc extension, then
> > it's unusual, but it's not a problem.   Even if the file really is an
> > executable, then opening it in Word isn't going to cause any problems
> > either - it'll just result in rubbish characters being shown on the
> > screen, or an error message that Word cannot recognise the file format.
>
> I don't remember the exact reason for this blocking rule, but I vaguely
> recall something about how some e-mail clients (Outlook maybe?) try to
> be "helpful" and drop the extension since you don't need to know what
> the file extension is since the client will open it for you with the
> correct tool.  Something like this, but not exactly like this.  Can
> someone provide the real reason for this blocking?

Yes, this is the reason, however what these applications do is to 'drop' the
*last* extension, show the user whatever is left, but if the user
double-clicks on the filename, the application *acts* upon the extension it
didn't show.

Hence if the filename is something.doc.exe, the user might see something.doc
and think "a document - that's okay - I'll open it" and then the application
exectutes the .exe for them (don't you just love whoever within Microsoft
thought this one up?)

Hence it is still only the *final* extension which is important - whether the
filename is something.abc.exe or something.doc.exe or even something.pif.exe
doesn't matter - they are all dangerous and should be blocked, simply because
they all end in .exe

> > Hope this helps you to reconsider whether there's a simpler solution to
> > your question?
>
> Well, I'm aware that I could remove that rule and fix this issue.
> However, this would eliminate a layer of protection that seems to be
> deemed as important enough to have.  If someone can convince all of us
> that layer is totally useless, why not just remove that option from the
> base MailScanner distro?

I believe the "double extension" rule is neither a layer of protection nor an
important rule to have.   All it does is to stop people sending perfectly
legitimate files to each other such as salesforecast.oct.xls

If anyone else thinks the double extension rule adds something valuable to
the standard "block these final extensions because they're dangerous" rules,
I'd be very interested.

Regards,

Antony.

--

If you think you see a Heffalump in a trap,
make sure it isn't really a Bear with an empty honey jar stuck on his head.



More information about the MailScanner mailing list