Re: 543.rar attachment

[Kinnell <kinnell.t () gmail com>]

On the network I'm a member of we block all exe files sent inside the
rar or zip, so even if it is sent the file will be 0byted.  Wouldn't
that be a better method?  otherwise if you block all bz2, zip, rar,
etc... then you will block a lot of useful communication

-Kinnell

On Fri, 11 Mar 2005 16:49:16 -0500, adisegna () siscocorp com
<adisegna () siscocorp com> wrote:
> Sean, I have to disagree with you. Any file that that can encapsulate an
> executable file should be blocked (IMO). ZIP files are one of the
> biggest carriers of malicious content these days. I don't make it a
> habbit of trusting my users no matter how many times they get trained.
> RAR extraction tools are not part of the software image policy on my
> network so users are oblivious to the file blocking. What is your
> solution?
>
> Thanks
>
> AD
> Information Technology Group
> Security Identification Systems Corporation
>
> -----Original Message-----
> From: Sean Crawford [mailto:sean01 () accnet com au]
> Sent: Tuesday, March 08, 2005 9:39 PM
> To: security-basics () securityfocus com
> Subject: RE: 543.rar attachment
>
> ---> -----Original Message-----
> ---> From: adisegna () siscocorp com [mailto:adisegna () siscocorp com]
>
> ---> Subject: RE: 543.rar attachment
>
> ---> I just recently got the same executable inside .rar. I extracted
> the
> ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't find
> ---> anything (as of 4 days ago). I wasn't about to double click this
> exe on
> ---> my corporate network. Block the rar extension on your mail server.
> --->
>
> rar is a valid compression format...blocking it isn't a very good
> solution.
>
> 2 cents.
>
> Sean