Security Basics mailing list archives
Re: 543.rar attachment
From: "David J ONEILL" <David.J.Oneill () state or us>
Date: Tue, 15 Mar 2005 10:50:24 -0800
I hope you were being rhetorical in your questions. If not, you clearly do not have enough experience to be discussing what should and should not be allowed via email. As a state agency, we work with many other organizations (large and small), some only have regular email access to work with. David J O'Neill Senior Systems Analyst State of Oregon Department of Human Services Office of Information Services PH# 503.378.2101 ext. 280 email david.j.oneill () state or us
Jonathan Loh <kj6loh () yahoo com> 03/15/05 10:44AM >>>
Ok let's take it from that standpoint then. All executables are not evil. All computer users are not evil. Does this mean we will shut down our firewalls and let everybody access our internal networks? I'm not saying stop all email traffic, far from it, just all archives. There are many ways of getting archives in. But oh well to each his own. Have you heard of ssh/scp/sftp for deployment of programs? Along with perhaps an email stating where to get your program and how to install it? --- David J ONEILL <David.J.Oneill () state or us> wrote:
And your point is .... Not all executable files are evil, the source of the file must be considered. Sometimes, such as client server applications,
executable
files must be deployed with the associated resource files. And with
the
limitations on attachment sizes placed on commercial email systems,
one
needs all the compression one can get. David J O'Neill Senior Systems Analyst State of Oregon Department of Human Services Office of Information Services PH# 503.378.2101 ext. 280 email david.j.oneill () state or usJonathan Loh <kj6loh () yahoo com> 03/14/05 10:41PM >>>Ok let's have a reality check. Blocking archive files is easy by just writing a simple filter
looking
for various extensions. Pruning executable files means you will have to use that same filter, open the archive, either extract the whole thing,
delete
the executables, and repackage the whole thing, or delete the
executables
in place. Everyone can split large application files, or can be taught how,
and
send them to be repackaged. Ever wonder how TCP and UDP work? --- David J ONEILL <David.J.Oneill () state or us> wrote:Gee, why not just block ALL email communication. That would saveyousome work too. Archive files are a necessary part of communication and verybeneficialin saving bandwidth. Let's have a reality check .... David J O'Neill Senior Systems Analyst State of Oregon Department of Human Services Office of Information Services PH# 503.378.2101 ext. 280 email david.j.oneill () state or usJonathan Loh <kj6loh () yahoo com> 03/14/05 02:21PM >>>Ok that's a solution. But what I want to ask you is this. How
much
overhead does it take to do this? Blocking archive files would be an
easier
method with little overhead. Possibly with a reply to sender that your sitedoesnot accept archive files. --- Kinnell <kinnell.t () gmail com> wrote:On the network I'm a member of we block all exe files sent
inside
therar or zip, so even if it is sent the file will be 0byted.Wouldn'tthat be a better method? otherwise if you block all bz2, zip,rar,etc... then you will block a lot of useful communication -Kinnell On Fri, 11 Mar 2005 16:49:16 -0500, adisegna () siscocorp com <adisegna () siscocorp com> wrote:Sean, I have to disagree with you. Any file that that canencapsulate anexecutable file should be blocked (IMO). ZIP files are one ofthebiggest carriers of malicious content these days. I don't makeitahabbit of trusting my users no matter how many times they gettrained.RAR extraction tools are not part of the software image policyonmynetwork so users are oblivious to the file blocking. What isyoursolution? Thanks AD Information Technology Group Security Identification Systems Corporation -----Original Message----- From: Sean Crawford [mailto:sean01 () accnet com au] Sent: Tuesday, March 08, 2005 9:39 PM To: security-basics () securityfocus com Subject: RE: 543.rar attachment ---> -----Original Message----- ---> From: adisegna () siscocorp com
[mailto:adisegna () siscocorp com]
---> Subject: RE: 543.rar attachment ---> I just recently got the same executable inside .rar. Iextractedthe ---> dddd.exe and ran a scan on it. Norton Corporate 9.01
didn't
find---> anything (as of 4 days ago). I wasn't about to double
click
thisexe on ---> my corporate network. Block the rar extension on your
server.---> rar is a valid compression format...blocking it isn't a verygoodsolution. 2 cents. Sean__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Current thread:
- Re: 543.rar attachment, (continued)
- Re: 543.rar attachment Jonathan Loh (Mar 14)
- RE: 543.rar attachment adisegna (Mar 14)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- RE: 543.rar attachment Sean Crawford (Mar 16)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment Kinnell (Mar 15)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment SAMIR SHUKRI (Mar 16)
- Re: 543.rar attachment Kinnell (Mar 15)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- Re: 543.rar attachment Jonathan Loh (Mar 15)
- Re: 543.rar attachment David J ONEILL (Mar 15)
- Re: 543.rar attachment Micro Kluge (Mar 16)
- FW: 543.rar attachment adisegna (Mar 16)
- RE: 543.rar attachment adisegna (Mar 16)