NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)



Here is a list of valid MIME types, if that is what you are looking for...

http://www.isi.edu/in-notes/iana/assignments/media-types/media-types

FYI:   gone.scr is MIME type application/octet-stream



>>> [email protected] 12/05/01 01:23PM >>>
Where might I look for a list of the file types to block?

> -----Original Message-----
> From: Colmer, Philip [SMTP:[email protected]]
> Sent: Wednesday, December 05, 2001 1:36 AM
> To:   [email protected]
> Subject:      Re: [FW-1] new virus (?)
>
> > We just got hit hard with emails with "Subject: Hi" and an
> > attachment named "gone.scr".  has anyone else seen this?
> > What is the procedure for blocking an email based on the
> > subject at the firewall?
>
> You cannot block based on a subject with the firewall.
>
> What you can do is create an SMTP Security Server resource and use that to
> strip out the attachments, either based on the MIME encoding type
> (pre-SP3)
> or on the extension type (SP3 and later).
>
> To do this:
>
> 1. Create an SMTP resource. If all you are wanting to do is strip bad
> attachments, just give it a name and put the IP address of the destination
> SMTP server in. You can also use this resource to ensure that incoming
> email
> matches your email domains - useful for preventing relaying through your
> email server.
>
> 2. Set up a rule that ensures that all email intended for your email
> server
> goes against the resource. To do this, where it would normally say "SMTP"
> as
> the service, remove this and add the resource instead. Pick SMTP and then
> pick the resource from the list.
>
> 3. Once you've set up the policy, go to the firewall. Find the objects.C
> file. Edit the file and look for the definition of the SMTP resource
> you've
> just created. Add the following to the end of the definition:
>
> : (forbiddenfiles
>   : ("{*.scr}")
> )
>
> Save the file and re-implement the policy.
>
> What happens is that any attempt to connect to your email server for the
> purposes of SMTP gets intercepted by the firewall. It then strips out any
> attachment that has an extension that matches the list above - you can
> have
> comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}").
>
> We've implemented the above ".scr" list for now, but we'll shortly be
> expanding it to include all of the filetypes that Outlook now blocks.
>
> Implementing this has two benefits:
>
> 1. It stops the filetypes even hitting the mail server, thus reducing the
> amount of work that the anti-virus software has to do.
>
> 2. It ensures that new viruses get stripped out, regardless of whether or
> not the AV software knows about it ... which it didn't for the new
> gone.scr
> virus.
>
> Hope that helps.
>
> --Philip
>
> --
> Philip Colmer MBCS CEng                 Tel: 01223 271223
> I.T. Manager                            Fax: 01223 215513
> ProQuest Information & Learning
> The Quorum, Barnwell Road, Cambridge, CB5 8SW
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.