NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)



I have been trying to setup the attachment blocking described below.  When I
edit the object.C file and then implement the policy, the addition that I
made to the file is deleted.  ???  Any ideas??

Tom Trievel
Amerigroup Corp
Network Security Administrator

-----Original Message-----
From: Colmer, Philip [mailto:[email protected]]
Sent: Wednesday, December 05, 2001 4:36 AM
To: [email protected]
Subject: Re: [FW-1] new virus (?)


> We just got hit hard with emails with "Subject: Hi" and an
> attachment named "gone.scr".  has anyone else seen this?
> What is the procedure for blocking an email based on the
> subject at the firewall?

You cannot block based on a subject with the firewall.

What you can do is create an SMTP Security Server resource and use that to
strip out the attachments, either based on the MIME encoding type (pre-SP3)
or on the extension type (SP3 and later).

To do this:

1. Create an SMTP resource. If all you are wanting to do is strip bad
attachments, just give it a name and put the IP address of the destination
SMTP server in. You can also use this resource to ensure that incoming email
matches your email domains - useful for preventing relaying through your
email server.

2. Set up a rule that ensures that all email intended for your email server
goes against the resource. To do this, where it would normally say "SMTP" as
the service, remove this and add the resource instead. Pick SMTP and then
pick the resource from the list.

3. Once you've set up the policy, go to the firewall. Find the objects.C
file. Edit the file and look for the definition of the SMTP resource you've
just created. Add the following to the end of the definition:

: (forbiddenfiles
  : ("{*.scr}")
)

Save the file and re-implement the policy.

What happens is that any attempt to connect to your email server for the
purposes of SMTP gets intercepted by the firewall. It then strips out any
attachment that has an extension that matches the list above - you can have
comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}").

We've implemented the above ".scr" list for now, but we'll shortly be
expanding it to include all of the filetypes that Outlook now blocks.

Implementing this has two benefits:

1. It stops the filetypes even hitting the mail server, thus reducing the
amount of work that the anti-virus software has to do.

2. It ensures that new viruses get stripped out, regardless of whether or
not the AV software knows about it ... which it didn't for the new gone.scr
virus.

Hope that helps.

--Philip

--
Philip Colmer MBCS CEng                 Tel: 01223 271223
I.T. Manager                            Fax: 01223 215513
ProQuest Information & Learning
The Quorum, Barnwell Road, Cambridge, CB5 8SW

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.