banned files.

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

banned files.

Mauro Sanna
I'm usingf postfix+amavisd-new+clamav in a debian etch system.
Here are some settings for the banned files:  
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

All exe files are banned.
The problem is that users want to send exe files but they can't, even if
they zip the files.
For my security I prefer to ban exe files.
What's your opinion?
What's you policy about that?

Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Mark Watts

On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:

> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
> Here are some settings for the banned files:
> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
>
> All exe files are banned.
> The problem is that users want to send exe files but they can't, even if
> they zip the files.
> For my security I prefer to ban exe files.
> What's your opinion?
> What's you policy about that?
Larger organisations may require users to sign an Acceptable Use Policy before
they can use any corporate systems, including email.
Within that document may be a list (or a URL) of the current list of banned
attachments.
Once a user has signed said AUP then you have something to wave at them if
they do try and send said attachments.

However, there are times when .exe files need to be emailed (self-extracting
encrypted executables comes to mind) and so you may need to permit users to
send such attachments.

@banned_files_lovers_maps may help you here.

Mark.

--
Mark Watts BSc RHCE MBCS
Senior Systems Engineer
QinetiQ Applied Technologies
GPG Key: http://www.linux-corner.info/mwatts.gpg

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Henrik K
On Thu, Jun 05, 2008 at 09:50:05AM +0100, Mark Watts wrote:

>
> On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:
> > I'm usingf postfix+amavisd-new+clamav in a debian etch system.
> > Here are some settings for the banned files:
> > qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
> >
> > All exe files are banned.
> > The problem is that users want to send exe files but they can't, even if
> > they zip the files.
> > For my security I prefer to ban exe files.
> > What's your opinion?
> > What's you policy about that?
>
> Larger organisations may require users to sign an Acceptable Use Policy before
> they can use any corporate systems, including email.
> Within that document may be a list (or a URL) of the current list of banned
> attachments.
> Once a user has signed said AUP then you have something to wave at them if
> they do try and send said attachments.
>
> However, there are times when .exe files need to be emailed (self-extracting
> encrypted executables comes to mind) and so you may need to permit users to
> send such attachments.

I don't see reason to ban any outgoing files, unless you have very mixed
environment with no security on PCs at all. It should be enough to just scan
outgoing for viruses, you will get notified if some bad files appear.

Reply | Threaded
Open this post in threaded view
|

Re: banned files.

mouss-2
Henrik K wrote:

> On Thu, Jun 05, 2008 at 09:50:05AM +0100, Mark Watts wrote:
>  
>> On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:
>>    
>>> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
>>> Here are some settings for the banned files:
>>> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
>>>
>>> All exe files are banned.
>>> The problem is that users want to send exe files but they can't, even if
>>> they zip the files.
>>> For my security I prefer to ban exe files.
>>> What's your opinion?
>>> What's you policy about that?
>>>      
>> Larger organisations may require users to sign an Acceptable Use Policy before
>> they can use any corporate systems, including email.
>> Within that document may be a list (or a URL) of the current list of banned
>> attachments.
>> Once a user has signed said AUP then you have something to wave at them if
>> they do try and send said attachments.
>>
>> However, there are times when .exe files need to be emailed (self-extracting
>> encrypted executables comes to mind) and so you may need to permit users to
>> send such attachments.
>>    
>
> I don't see reason to ban any outgoing files, unless you have very mixed
> environment with no security on PCs at all.

Some sites will reject the message and you'll earn a bad reputation
(AFAIK, gmail rejects .exe inside zips).

> It should be enough to just scan
> outgoing for viruses, you will get notified if some bad files appear.
>  

while scanning is recommended, it is not sufficient. not all malware is
detected.

Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Henrik K
On Thu, Jun 05, 2008 at 11:09:50AM +0200, mouss wrote:

> Henrik K wrote:
>> On Thu, Jun 05, 2008 at 09:50:05AM +0100, Mark Watts wrote:
>>  
>>> On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:
>>>    
>>>> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
>>>> Here are some settings for the banned files:
>>>> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
>>>>
>>>> All exe files are banned.
>>>> The problem is that users want to send exe files but they can't, even if
>>>> they zip the files.
>>>> For my security I prefer to ban exe files.
>>>> What's your opinion?
>>>> What's you policy about that?
>>>>      
>>> Larger organisations may require users to sign an Acceptable Use
>>> Policy before they can use any corporate systems, including email.
>>> Within that document may be a list (or a URL) of the current list of
>>> banned attachments.
>>> Once a user has signed said AUP then you have something to wave at
>>> them if they do try and send said attachments.
>>>
>>> However, there are times when .exe files need to be emailed
>>> (self-extracting encrypted executables comes to mind) and so you may
>>> need to permit users to send such attachments.
>>>    
>>
>> I don't see reason to ban any outgoing files, unless you have very mixed
>> environment with no security on PCs at all.
>
> Some sites will reject the message and you'll earn a bad reputation  
> (AFAIK, gmail rejects .exe inside zips).

I rather take the chance that it does get through to most places, instead of
listening to endless complains from users or setting up some elaborate
tunnels for passing (small) files. There are many bats and exes sent from
coders etc.

>> It should be enough to just scan
>> outgoing for viruses, you will get notified if some bad files appear.
>>  
>
> while scanning is recommended, it is not sufficient. not all malware is  
> detected.

If it isn't detected on the receiving end either, doesn't matter then. ;)

Of course there is no single right way, you weight the pros and cons. For
us, no single case of "bad reputation" or anything has resulted from this in
years.

Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Michael Monnerie-4
On Donnerstag, 5. Juni 2008 Henrik K wrote:
> I rather take the chance that it does get through to most places,
> instead of listening to endless complains from users or setting up
> some elaborate tunnels for passing (small) files. There are many bats
> and exes sent from coders etc.

We block .exe and a LOT of other bad Windows extensions, and only allow
them within a .zip that has a password. That way, even the dumbest user
must enter a password to extract such stuff and there is no more excuse
when they still got a virus via mail. We use that on our customers too,
no complaint about it just sometimes a question why it was blocked and
how to solve it. No problem.

mfg zmi
--
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660 / 415 65 31                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net                   Key-ID: 1C1209B4

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Gerard Seibert-5
In reply to this post by mouss-2
On Thu, 05 Jun 2008 11:09:50 +0200
mouss <[hidden email]> wrote:

> Henrik K wrote:
> > On Thu, Jun 05, 2008 at 09:50:05AM +0100, Mark Watts wrote:
> >  
> >> On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:
> >>    
> >>> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
> >>> Here are some settings for the banned files:
> >>> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension -
> >>> basic
> >>>
> >>> All exe files are banned.
> >>> The problem is that users want to send exe files but they can't,
> >>> even if they zip the files.
> >>> For my security I prefer to ban exe files.
> >>> What's your opinion?
> >>> What's you policy about that?
A 'scorched earth' policy seems a little extreme. All mail is
scanned upon receipt here. There have not been any problems with rogue
'exe' files.
 

> >> Larger organisations may require users to sign an Acceptable Use
> >> Policy before they can use any corporate systems, including email.
> >> Within that document may be a list (or a URL) of the current list
> >> of banned attachments.
> >> Once a user has signed said AUP then you have something to wave at
> >> them if they do try and send said attachments.
> >>
> >> However, there are times when .exe files need to be emailed
> >> (self-extracting encrypted executables comes to mind) and so you
> >> may need to permit users to send such attachments.
> >>    
> >
> > I don't see reason to ban any outgoing files, unless you have very
> > mixed environment with no security on PCs at all.
>
> Some sites will reject the message and you'll earn a bad reputation
> (AFAIK, gmail rejects .exe inside zips).
I have managed to send encrypted ZIP files with 'exe' files embedded
and have escaped GMails Gestapo tactics. That was a while ago however.
 
> > It should be enough to just scan
> > outgoing for viruses, you will get notified if some bad files
> > appear.
>
> while scanning is recommended, it is not sufficient. not all malware
> is detected.

Conversely, not all mail marked as 'malware' actually is. There does
not exist any perfect detection system.

--
Gerard

My only love sprung from my only hate!
Too early seen unknown, and known too late!

        William Shakespeare, "Romeo and Juliet"

signature.asc (202 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Saša Babić
In reply to this post by Mark Watts
On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:
>> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
>> Here are some settings for the banned files:
>> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
>>
>> All exe files are banned.
>> The problem is that users want to send exe files but they can't, even if
>> they zip the files.

Like it has been said, some systems stop .exe regardless.

That being said, you can ban the files in mime_header_checks. It
doesn't stop zipped files, since it doesn't unzip the files before
evaluation, but it does stop .exe file extension.

/etc/postfix/main.cf:
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre

/etc/postfix/mime_header_checks.pcre:
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(bat|cmd|exe|pif|sc[rt]|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/

    REJECT ".$2" attachment file type prohibited

Or you might be able to persuade your users into renaming file
extension. :)
Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Jorey Bump
In reply to this post by Mauro Sanna
Mauro Sanna wrote, at 06/05/2008 04:40 AM:

> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
> Here are some settings for the banned files:  
> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
>
> All exe files are banned.
> The problem is that users want to send exe files but they can't, even if
> they zip the files.
> For my security I prefer to ban exe files.
> What's your opinion?
> What's you policy about that?

I ban all exe attachments (and a few other Windows executable
extensions) in header_checks and direct links to similar executables in
body_checks. I also have a rule that rejects attachments with PE headers
to discourage renaming, but it rarely kicks in. My users are aware that
the policy allows no executable attachments. This hasn't caused a
problem for years.

Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Mauro Sanna
> I ban all exe attachments (and a few other Windows executable
> extensions) in header_checks and direct links to similar executables in
> body_checks. I also have a rule that rejects attachments with PE headers
> to discourage renaming, but it rarely kicks in. My users are aware that
> the policy allows no executable attachments. This hasn't caused a
> problem for years.
>
The problem is not internal.
My users don't attach executables when send to others internal users to
internet.
The problem is when from internet someone want to send a program, an
executable, and it is necessary to receive it.
If you ban executables how you resolve it?
Perhaps using ftp?

Reply | Threaded
Open this post in threaded view
|

RE: banned files.

Peña, Botp
On Behalf Of Mauro Sanna
# The problem is not internal.
# My users don't attach executables when send to others
# internal users to internet.
# The problem is when from internet someone want to send a
# program, an executable, and it is necessary to receive it.
# If you ban executables how you resolve it? Perhaps using ftp?

usually, we ban all executables and we quarantine zipped files.

now on sending exe, we tell the sender to

1 wrap the exe into a zip file
2 rename the zipped file w a name of our choice (ours, not sender's)
3 put a password for the zip file w password of our choice
4 put an email subject w a subject of our choice

#1 will force the email to be in quarantine for further exam/scan
#2,3,4 (plus sender verification) can guarantee that the email is indeed what we want

kind regards -botp





Reply | Threaded
Open this post in threaded view
|

Re: banned files.

Jorey Bump
In reply to this post by Mauro Sanna
Mauro Sanna wrote, at 06/06/2008 03:22 AM:
>> I ban all exe attachments (and a few other Windows executable
>> extensions) in header_checks and direct links to similar executables in
>> body_checks. I also have a rule that rejects attachments with PE headers
>> to discourage renaming, but it rarely kicks in. My users are aware that
>> the policy allows no executable attachments. This hasn't caused a
>> problem for years.
>>
> The problem is not internal.

"All politics is local."

Naturally, this policy is primarily aimed at external abuse, but I'm
mainly concerned with the needs of my users. I warn them that the server
will not relay raw executables, so they will need a safe workaround. The
policy is communicated to external users at rejection time.

> My users don't attach executables when send to others internal users to
> internet.
> The problem is when from internet someone want to send a program, an
> executable, and it is necessary to receive it.
> If you ban executables how you resolve it?
> Perhaps using ftp?

They can zip the file or make it available via other means (http, ftp,
etc.). The few times this has come up, the users were happy to take the
extra steps, in light of the advantages afforded by blocking Windows
executables.


Reply | Threaded
Open this post in threaded view
|

Re: banned files.

mouss-2
In reply to this post by Henrik K
Henrik K wrote:

> On Thu, Jun 05, 2008 at 11:09:50AM +0200, mouss wrote:
>  
>> Henrik K wrote:
>>    
>>> On Thu, Jun 05, 2008 at 09:50:05AM +0100, Mark Watts wrote:
>>>  
>>>      
>>>> On Thursday 05 June 2008 09:40:28 Mauro Sanna wrote:
>>>>    
>>>>        
>>>>> I'm usingf postfix+amavisd-new+clamav in a debian etch system.
>>>>> Here are some settings for the banned files:
>>>>> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
>>>>>
>>>>> All exe files are banned.
>>>>> The problem is that users want to send exe files but they can't, even if
>>>>> they zip the files.
>>>>> For my security I prefer to ban exe files.
>>>>> What's your opinion?
>>>>> What's you policy about that?
>>>>>      
>>>>>          
>>>> Larger organisations may require users to sign an Acceptable Use
>>>> Policy before they can use any corporate systems, including email.
>>>> Within that document may be a list (or a URL) of the current list of
>>>> banned attachments.
>>>> Once a user has signed said AUP then you have something to wave at
>>>> them if they do try and send said attachments.
>>>>
>>>> However, there are times when .exe files need to be emailed
>>>> (self-extracting encrypted executables comes to mind) and so you may
>>>> need to permit users to send such attachments.
>>>>    
>>>>        
>>> I don't see reason to ban any outgoing files, unless you have very mixed
>>> environment with no security on PCs at all.
>>>      
>> Some sites will reject the message and you'll earn a bad reputation  
>> (AFAIK, gmail rejects .exe inside zips).
>>    
>
> I rather take the chance that it does get through to most places, instead of
> listening to endless complains from users or setting up some elaborate
> tunnels for passing (small) files. There are many bats and exes sent from
> coders etc.
>  

how many times? isn't this worth a "deny except when asked" approach?
and there are many way to share exes without opening the door to attackers.

>  
>>> It should be enough to just scan
>>> outgoing for viruses, you will get notified if some bad files appear.
>>>  
>>>      
>> while scanning is recommended, it is not sufficient. not all malware is  
>> detected.
>>    
>
> If it isn't detected on the receiving end either, doesn't matter then. ;)
>
>  

If it's not detected by the recipient, then you have a significant share
of responsibility for the problems it has caused.


If one of your machines participates in an attack (dos, dictionary
attacks, phishing, ... etc), you are responsible, whether the victims
notice or not. There is no reason to exclude malware propagation.


> Of course there is no single right way, you weight the pros and cons. For
> us, no single case of "bad reputation" or anything has resulted from this in
> years.
>