Question regarding Filename Rules

Matt Kettler mkettler at EVI-INC.COM
Tue Apr 19 16:31:26 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Rob Poe wrote:

>I have a client who is requesting that I remove the double extension rule.  They are getting files (jokes, at that!) with .htm.html extensions (along with other things) and they want the double extension rule removed.
>
>I think this is a bad idea, can anyone give me a better argument than "Because I said" to leave it in place?
>
>What are the chances of them being MORE at risk for infection?
>
>

Quite frankly, I've got several exceptions to the double-extension rule
for any "two of same kind" extension cases.

Certainly there's nothing that hides a true file type about .htm.html,
or about .jpg.jpeg, etc.

I've also got allowances for conversion between extensions that are of
the same threat level if I allow said file types. ie: .doc.rtf. If you
allow .rtf files, and .doc files, there's nothing fishy about a
.doc.rtf, other than to imply it was run through a conversion tool. I
liberally allow many extensions MailScanner does not allow by default,
so these are acceptable here if they pass virus scan.

 I lean mostly on my 3 virus scanners to pick up viruses, and not on my
filename rules, so my rules are pretty liberal.

A sampling of my rules:

# allow document format conversions. .wps.doc, .wps.rtf, etc
# in these cases the first extension is of the same threat class as the
last extension.
# Unless denied outright above, these are no more threatening when doubled.
allow   \.wps\.doc$             -       -
allow   \.wps\.rtf$             -       -
allow   \.xls\.doc$             -       -
allow   \.ppt\.doc$             -       -


#allow 4 letter extensions with equivalent 3 letter ie: file.html.htm
# note: any 3.4 variants are redundant in my case because of the
modified double-extension rule
allow   \.html\.htm$            -       -
allow   \.icon\.ico$            -       -
allow   \.conf\.cfg$            -       -
allow   \.mpeg\.mpg$            -       -


Lastly, I've greatly restricted the scope of the original extension
hiding rule. Which would have never matched your ".htm.html" in the
first place.

I know of no truly malicious file extensions for windows that are 4
letters in length, which would be useful to hide as some other
extension. Therefore, I require that the last extension be 3 characters,
not 3-4.
I also know of no malicious file extensions containing numbers, so I
require the last extension to be alpha-only.

Finally, there are very few four character extensions worth hiding
behind, so I only check a few common user-recognizable 4-character
extensions for an extension hiding after it.

# Deny all other double file extensions. This catches any hidden filenames.
#MEK - made this a bit less generic. Second extension now must be
# all alpha instead of alphanumeric
# And only certain 4-char extensions are checked for hiding.

#3.3 extension hiding
deny    \.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$        Found possible filename
hiding                          Attempt to hide real filename extension
# look for 3 character extension hiding behind innocuous 4-character
extension. (selective 4.3)
deny    \.text\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.jpeg\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.mpeg\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.pict\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.jiff\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.html\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.tiff\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.vrml\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.conf\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.diff\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.java\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.cert\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.icon\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list