Suggested addition to default filename and filetype rules

James Gray james_gray at OCS.COM
Thu Sep 9 13:08:01 IST 2004


On Thu, 9 Sep 2004 08:29 pm, Julian Field wrote:
> At 08:18 09/09/2004, you wrote:
> >On Thu, 9 Sep 2004, James Gray wrote:
> >>Maybe it's just our site, but was there a reason Windows Media files were
> >>left
> >>out when Quicktime/MPEG/etc were included for denial?
> >>
> >>For the archives, here's what we have in our (modified) rules:
> >>
> >><<< filename.rules.conf >>>
> >># Deny Windows Media etc
> >>deny  \.wm[adsvz]   Windows Media Format    We don't allow Windows Media
> >>Files
> >>deny  \.w[av]x      Windows Media Format    No Windows media metafile
> >> links deny  \.as[fx]      Windows Media Format    We don't allow Windows
> >> Media Files
> >>
> >><<< filetype.rules.conf >>>
> >>deny  ASF           No Windows Media        No Windows Media files
> >> allowed
>
> I have added the filetype.rules.conf one, but not the filename.rules.conf
> ones. I don't want my standard ruleset to be too restrictive. Only a very
> small percentage of you ever edit the files at all, and I don't want to
> annoy everybody more than I have to.
> Do we really need to ban all media files at all? Banning the movies is
> probably good as they tend to be huge and illegal/worthless. But all the
> audio files as well?
>
> Also, does anyone know of any attacks done involving media metafile links?
> Hopefully these are small and harmless.
> --
> Julian Field

We block all media files (audio/video) mainly due to the many security holes
in Windows and as a secondary reason, the acceptable use policy.  I'm not
aware of any "in the wild" attacks using metafile links, but given
Microsoft's track record with their "zone aware" components (IE, Outlook, OE,
Windows Media PLayer etc), we don't take chances either.  Every other day
someone posts sample exploit code to break the zone-based security features
in Windows to Bugtraq! It really is like shooting fish in a barrel :P

I agree with your sentiments though; best not to make things too restrictive
by default.  At least my original message will be in the archives for anyone
who wants to know to lock things down tighter than the default.

FWIW, the string "ASF" only occurs once in all the magic files I've parsed
(Solaris 9, FreeBSD and Linux) and in all cases specifically identifies
Windows Media - I doubt it would score any false positives from the filetype
rules using that string.

Regards,

James

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list