Security Basics mailing list archives
Re: 543.rar attachment
From: Jonathan Loh <kj6loh () yahoo com>
Date: Tue, 15 Mar 2005 10:48:59 -0800 (PST)
Good luck teaching common sense. --- Kinnell <kinnell.t () gmail com> wrote:
Very true. However we are not looking to ban people from using e-mail as a tool to pass important files; we are looking to keep Tim, the new intern from a near college, from opening a stupid e-mail with a "your wife knows you watch porn" subject and running a file in there that is said to keep your wife from finding out. The problem is between the keyboard and the seat, not so much on the servers, but if we can't teach the users common sense then we need to ban all files. Same goes for so many hot topic items -Kinnell On Mon, 14 Mar 2005 22:41:44 -0800 (PST), Jonathan Loh <kj6loh () yahoo com> wrote:Ok let's have a reality check. Blocking archive files is easy by just writing a simple filter looking for various extensions. Pruning executable files means you will have to usethatsame filter, open the archive, either extract the whole thing, delete the executables, and repackage the whole thing, or delete the executables inplace.Everyone can split large application files, or can be taught how, and sendthemto be repackaged. Ever wonder how TCP and UDP work? --- David J ONEILL <David.J.Oneill () state or us> wrote:Gee, why not just block ALL email communication. That would save you some work too. Archive files are a necessary part of communication and very beneficial in saving bandwidth. Let's have a reality check .... David J O'Neill Senior Systems Analyst State of Oregon Department of Human Services Office of Information Services PH# 503.378.2101 ext. 280 email david.j.oneill () state or usJonathan Loh <kj6loh () yahoo com> 03/14/05 02:21PM >>>Ok that's a solution. But what I want to ask you is this. How much overhead does it take to do this? Blocking archive files would be an easier method with little overhead. Possibly with a reply to sender that your site does not accept archive files. --- Kinnell <kinnell.t () gmail com> wrote:On the network I'm a member of we block all exe files sent insidetherar or zip, so even if it is sent the file will be 0byted. Wouldn't that be a better method? otherwise if you block all bz2, zip, rar, etc... then you will block a lot of useful communication -Kinnell On Fri, 11 Mar 2005 16:49:16 -0500, adisegna () siscocorp com <adisegna () siscocorp com> wrote:Sean, I have to disagree with you. Any file that that canencapsulate anexecutable file should be blocked (IMO). ZIP files are one of the biggest carriers of malicious content these days. I don't make itahabbit of trusting my users no matter how many times they gettrained.RAR extraction tools are not part of the software image policy onmynetwork so users are oblivious to the file blocking. What is your solution? Thanks AD Information Technology Group Security Identification Systems Corporation -----Original Message----- From: Sean Crawford [mailto:sean01 () accnet com au] Sent: Tuesday, March 08, 2005 9:39 PM To: security-basics () securityfocus com Subject: RE: 543.rar attachment ---> -----Original Message----- ---> From: adisegna () siscocorp com [mailto:adisegna () siscocorp com] ---> Subject: RE: 543.rar attachment ---> I just recently got the same executable inside .rar. Iextractedthe ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn'tfind---> anything (as of 4 days ago). I wasn't about to double clickthisexe on ---> my corporate network. Block the rar extension on your mailserver.---> rar is a valid compression format...blocking it isn't a very good solution. 2 cents. Sean__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- RE: 543.rar attachment, (continued)
- RE: 543.rar attachment Sean Crawford (Mar 09)
- RE: 543.rar attachment adisegna (Mar 11)
- Re: 543.rar attachment Kinnell (Mar 14)
- Re: 543.rar attachment Steven DeFord (Mar 14)
- Re: 543.rar attachment Kinnell (Mar 14)
- Re: 543.rar attachment Jonathan Loh (Mar 14)
- RE: 543.rar attachment adisegna (Mar 14)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- RE: 543.rar attachment Sean Crawford (Mar 16)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment Kinnell (Mar 15)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment SAMIR SHUKRI (Mar 16)
- Re: 543.rar attachment Kinnell (Mar 15)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- Re: 543.rar attachment Micro Kluge (Mar 16)
- FW: 543.rar attachment adisegna (Mar 16)
- RE: 543.rar attachment adisegna (Mar 16)