Question regarding Filename Rules

Alex Neuman van der Hans alex at nkpanama.com
Tue Apr 19 16:34:52 IST 2005 

Excellent points...

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Matt Kettler
Sent: Tuesday, April 19, 2005 10:31 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Question regarding Filename Rules

Rob Poe wrote:

>I have a client who is requesting that I remove the double extension rule.
They are getting files (jokes, at that!) with .htm.html extensions (along
with other things) and they want the double extension rule removed.
>
>I think this is a bad idea, can anyone give me a better argument than
"Because I said" to leave it in place?
>
>What are the chances of them being MORE at risk for infection?
>
>

Quite frankly, I've got several exceptions to the double-extension rule for
any "two of same kind" extension cases.

Certainly there's nothing that hides a true file type about .htm.html, or
about .jpg.jpeg, etc.

I've also got allowances for conversion between extensions that are of the
same threat level if I allow said file types. ie: .doc.rtf. If you allow
.rtf files, and .doc files, there's nothing fishy about a .doc.rtf, other
than to imply it was run through a conversion tool. I liberally allow many
extensions MailScanner does not allow by default, so these are acceptable
here if they pass virus scan.

 I lean mostly on my 3 virus scanners to pick up viruses, and not on my
filename rules, so my rules are pretty liberal.

A sampling of my rules:

# allow document format conversions. .wps.doc, .wps.rtf, etc # in these
cases the first extension is of the same threat class as the last extension.
# Unless denied outright above, these are no more threatening when doubled.
allow   \.wps\.doc$             -       -
allow   \.wps\.rtf$             -       -
allow   \.xls\.doc$             -       -
allow   \.ppt\.doc$             -       -


#allow 4 letter extensions with equivalent 3 letter ie: file.html.htm #
note: any 3.4 variants are redundant in my case because of the modified
double-extension rule
allow   \.html\.htm$            -       -
allow   \.icon\.ico$            -       -
allow   \.conf\.cfg$            -       -
allow   \.mpeg\.mpg$            -       -


Lastly, I've greatly restricted the scope of the original extension hiding
rule. Which would have never matched your ".htm.html" in the first place.

I know of no truly malicious file extensions for windows that are 4 letters
in length, which would be useful to hide as some other extension. Therefore,
I require that the last extension be 3 characters, not 3-4.
I also know of no malicious file extensions containing numbers, so I require
the last extension to be alpha-only.

Finally, there are very few four character extensions worth hiding behind,
so I only check a few common user-recognizable 4-character extensions for an
extension hiding after it.

# Deny all other double file extensions. This catches any hidden filenames.
#MEK - made this a bit less generic. Second extension now must be # all
alpha instead of alphanumeric # And only certain 4-char extensions are
checked for hiding.

#3.3 extension hiding
deny    \.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$        Found possible filename
hiding                          Attempt to hide real filename extension
# look for 3 character extension hiding behind innocuous 4-character
extension. (selective 4.3)
deny    \.text\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.jpeg\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.mpeg\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.pict\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.jiff\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.html\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.tiff\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.vrml\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.conf\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.diff\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.java\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.cert\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension
deny    \.icon\s*\.[a-z]{3}$    Found possible filename
hiding                          Attempt to hide real filename extension

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list