[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] new virus (?)
Hi All I know its slightly "off-topic" but I have been trying to find out what file types are contained in Microsoft's "Level-2" list of attachments, on the KB doc (mentioned below) they give the level 1 list but not the level 2, does anyone know where this can be found? regards Matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Colmer, Philip Sent: 06 December 2001 08:52 To: [email protected] Subject: Re: [FW-1] new virus (?) The bottom of this article: http://support.microsoft.com/directory/article.asp?id=kb;en-us;Q290497 details all of the attachments that the Outlook security patch blocks. --Philip > -----Original Message----- > From: Mike Sullivan [mailto:[email protected]] > Sent: 05 December 2001 18:24 > To: [email protected] > Subject: Re: [FW-1] new virus (?) > > > Where might I look for a list of the file types to block? > > > -----Original Message----- > > From: Colmer, Philip [SMTP:[email protected]] > > Sent: Wednesday, December 05, 2001 1:36 AM > > To: [email protected] > > Subject: Re: [FW-1] new virus (?) > > > > > We just got hit hard with emails with "Subject: Hi" and an > > > attachment named "gone.scr". has anyone else seen this? > What is the > > > procedure for blocking an email based on the subject at the > > > firewall? > > > > You cannot block based on a subject with the firewall. > > > > What you can do is create an SMTP Security Server resource and use > > that to strip out the attachments, either based on the MIME > encoding > > type > > (pre-SP3) > > or on the extension type (SP3 and later). > > > > To do this: > > > > 1. Create an SMTP resource. If all you are wanting to do is > strip bad > > attachments, just give it a name and put the IP address of the > > destination SMTP server in. You can also use this resource > to ensure > > that incoming email matches your email domains - useful for > preventing > > relaying through your email server. > > > > 2. Set up a rule that ensures that all email intended for > your email > > server goes against the resource. To do this, where it > would normally > > say "SMTP" as > > the service, remove this and add the resource instead. Pick > SMTP and then > > pick the resource from the list. > > > > 3. Once you've set up the policy, go to the firewall. Find the > > objects.C file. Edit the file and look for the definition > of the SMTP > > resource you've just created. Add the following to the end of the > > definition: > > > > : (forbiddenfiles > > : ("{*.scr}") > > ) > > > > Save the file and re-implement the policy. > > > > What happens is that any attempt to connect to your email > server for > > the purposes of SMTP gets intercepted by the firewall. It > then strips > > out any attachment that has an extension that matches the > list above - > > you can have comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}"). > > > > We've implemented the above ".scr" list for now, but we'll > shortly be > > expanding it to include all of the filetypes that Outlook > now blocks. > > > > Implementing this has two benefits: > > > > 1. It stops the filetypes even hitting the mail server, > thus reducing > > the amount of work that the anti-virus software has to do. > > > > 2. It ensures that new viruses get stripped out, regardless > of whether > > or not the AV software knows about it ... which it didn't > for the new > > gone.scr virus. > > > > Hope that helps. > > > > --Philip > > > > -- > > Philip Colmer MBCS CEng Tel: 01223 271223 > > I.T. Manager Fax: 01223 215513 > > ProQuest Information & Learning > > The Quorum, Barnwell Road, Cambridge, CB5 8SW > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.htm> l > > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|