Security Basics mailing list archives

Re: 543.rar attachment

From: "David J ONEILL" <David.J.Oneill () state or us>
Date: Mon, 14 Mar 2005 16:18:48 -0800

Gee, why not just block ALL email communication.  That would save you
some work too.

Archive files are a necessary part of communication and very beneficial
in saving bandwidth.

Let's have a reality check ....

David J O'Neill
Senior Systems Analyst
State of Oregon
Department of Human Services
Office of Information Services
PH# 503.378.2101 ext. 280
email david.j.oneill () state or us

Jonathan Loh <kj6loh () yahoo com> 03/14/05 02:21PM >>>

Ok that's a solution.  But what I want to ask you is this.  How much
overhead
does it take to do this?  Blocking archive files would be an easier
method with
little overhead.  Possibly with a reply to sender that your site does
not
accept archive files.  
--- Kinnell <kinnell.t () gmail com> wrote:

On the network I'm a member of we block all exe files sent inside

the

rar or zip, so even if it is sent the file will be 0byted.  Wouldn't
that be a better method?  otherwise if you block all bz2, zip, rar,
etc... then you will block a lot of useful communication

-Kinnell

On Fri, 11 Mar 2005 16:49:16 -0500, adisegna () siscocorp com 
<adisegna () siscocorp com> wrote:

Sean, I have to disagree with you. Any file that that can

encapsulate an

executable file should be blocked (IMO). ZIP files are one of the
biggest carriers of malicious content these days. I don't make it

habbit of trusting my users no matter how many times they get

trained.

RAR extraction tools are not part of the software image policy on

my

network so users are oblivious to the file blocking. What is your
solution?

Thanks

AD
Information Technology Group
Security Identification Systems Corporation

-----Original Message-----
From: Sean Crawford [mailto:sean01 () accnet com au] 
Sent: Tuesday, March 08, 2005 9:39 PM
To: security-basics () securityfocus com 
Subject: RE: 543.rar attachment

---> -----Original Message-----
---> From: adisegna () siscocorp com [mailto:adisegna () siscocorp com] 

---> Subject: RE: 543.rar attachment

---> I just recently got the same executable inside .rar. I

extracted

the
---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't

find

---> anything (as of 4 days ago). I wasn't about to double click

this

exe on
---> my corporate network. Block the rar extension on your mail

server.

--->

rar is a valid compression format...blocking it isn't a very good
solution.

2 cents.

Sean



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

Current thread:

Re: 543.rar attachment, (continued)
- Re: 543.rar attachment Thierry Zoller (Mar 07)
- Re: 543.rar attachment Andrew Pretzl (Mar 07)
- RE: 543.rar attachment Andrew Shore (Mar 07)
- RE: 543.rar attachment adisegna (Mar 08)
  - RE: 543.rar attachment Sean Crawford (Mar 09)
- RE: 543.rar attachment adisegna (Mar 11)
  - Re: 543.rar attachment Kinnell (Mar 14)
    - Re: 543.rar attachment Steven DeFord (Mar 14)
- Re: 543.rar attachment Jonathan Loh (Mar 14)
- RE: 543.rar attachment adisegna (Mar 14)
- Re: 543.rar attachment David J ONEILL (Mar 15)
  - RE: 543.rar attachment Sean Crawford (Mar 16)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
  - Re: 543.rar attachment Kinnell (Mar 15)
    - Re: 543.rar attachment Jonathan Loh (Mar 15)
    - Re: 543.rar attachment SAMIR SHUKRI (Mar 16)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment David J ONEILL (Mar 15)
  - Re: 543.rar attachment Micro Kluge (Mar 16)
- FW: 543.rar attachment adisegna (Mar 16)

(Thread continues...)