Re: Question re: inbound executable files

[Dewitt Latimer <dewitt () ND EDU>]

At Notre Dame, we do not block or delete potentially harmful attachments,
but we do rename them so they are rendered benign.  The attachment is
renamed to .xxx_unknown, where xxx is the original extension.
(trojanhorse.exe becomes trojanhorse.exe_unknown)

We then append to the original e-mail message body that the attachment was
renamed, why it was renamed, and only to rename it back if they are 100%
sure that the payload is harmless.

We rename the following extensions:

ade adp app asd asf asx bas bat chm cmd com cpl crt dll exe fxp hlp hta hto
inf
ini ins isp jse* lib lnk mdb mde msc msi msp mst ocx pcd pif prg reg scr sct
sh
shb shs sys url vb vbe vbs vcs vxd wmd wms wmz wsc wsf wsh

-d

------------------------------
Dewitt Latimer, Ph.D.
Deputy CIO and Chief Technology Officer
The University of Notre Dame
dewitt () nd edu



----- Original Message -----
From: "Sadler, Connie" <Connie_Sadler () BROWN EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, December 18, 2003 5:26 PM
Subject: [SECURITY] Question re: inbound executable files


Is anyone blocking inbound executable files to help prevent viruses,
etc.?

Connie J. Sadler, CM, CISSP, CISM
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu
PGP Fingerprint: 452A C178 1450 9CE1 3AC1  CC12 956F 2C55 DB94 A9C7
Office: 401-863-7266

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.