Best practice

[Rick Cooper]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Rabellino Sergio
> Sent: Thursday, October 13, 2005 4:36 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Best practice
>
>
> Martin Hepworth wrote:
>
> >Hi
> >
> >Double file extensions still catch anough viruses etc for me
> before the AV
> >people update to it useful..
> >
> >This then becomes an education issue... advise people not to put dots in
> >filesnames as many anti-virus gateways will not them through as
> they are a
> >potential virus.
> >
> >--
> >Martin Hepworth
> >Snr Systems Administrator
> >Solid State Logic
> >Tel: +44 (0)1865 842300
> >
> >
> >
> Ho do you feel about  mycode.c.old or mydocs.tar.gz, or
> mydata.20051009.txt ???
>
> It's hard tell anyone that he can't send a project in development to
> someone else because there are double dotted filenames, without concerning
> the real content.
>
> This was the start point for our discussion, then my doubt on that rule.
> Could  be a 'better performance' rule, but there are real attacks
> catched ONLY by that rule ?
>
> For now i've not found any attacks singularly catched by the double-dot
> rule, but...
>
> --

A Lot of this is a policy issue. For instance, if you use .tar.gz files in
your organization then add an allow rule above the double ext deny like
allow \.tar\.gz$, same with other commonly used formats. For instance one
site I handle routinely receives files from Ford Motor Company that end 5
digits and then xls so I allow \.\d{5}\.xls$. Well then I start seeing all
kinds of other vendors sending reports and quotes and such with double
extensions so I added the following to my filename rules

# Allow XLS/DOC/PDF files that do not have an executable second extension
deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.doc$
Attempt to Hide Bad Things With DOC Extension  Attempt to Hide Bad Things
With DOC Extension - NO CIGAR!
deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.xls$
Attempt to Hide Bad Things With XLS Extension  Attempt to Hide Bad Things
With XLS Extension - NO CIGAR!
deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.pdf$
Attempt to Hide Bad Things With PDF Extension  Attempt to Hide Bad Things
With PDF Extension - NO CIGAR!

# Allow multiple extensions on .xls, .doc, .pdf files
allow  \.(doc|xls|pdf)$  Allow xls, doc, pdf outright  Allow xls, doc, pdf
outright

This could, of course, be easily extended to include any final extension or
all final extensions such as

deny (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.[^\.]{1,}$

which would deny anything ending in a double containing the parenthetic
expressions and any other extension. Could easily add more denied types to
the \.exe|\.scr stuff

I really don't think the original double extension problem is an issue
anymore (executing by type and not name from an email) but there are still
issues with extensions like somefile.xls.exe because once saved the user in
a default windows configuration will see somefile.xls.

Of course one way to mitigate the double extension issue somewhat is to
disable hiding known file types in the windows folder views, so
somefile.xls.exe doesn't appear as somefile.xls

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!