Educause Security Discussion mailing list archives

Re: Question re: inbound executable files

From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Thu, 18 Dec 2003 16:16:33 -0700

At Metropolitan State College of Denver, we do not block any
file attachments but we do run the Sophos anti-virus scanner
on our Email server.  All Email (in or out) that passes through
our mail server is scanned for viruses and Trojans.  We do have
to be very attentive to add supplemental signatures to Sophos
(http://www.sophos.com/).  We block outgoing tcp port 25 connections
except for those that are created by our Email server.

--
Clyde Hoadley
Security & Disaster Recovery Coordinator
Division of Information Technology
Metropolitan State College of Denver
hoadleyc () mscd edu
http://clem.mscd.edu/~hoadleyc/
(303) 556-5074

Dewitt Latimer wrote:

At Notre Dame, we do not block or delete potentially harmful attachments,
but we do rename them so they are rendered benign.  The attachment is
renamed to .xxx_unknown, where xxx is the original extension.
(trojanhorse.exe becomes trojanhorse.exe_unknown)

We then append to the original e-mail message body that the attachment was
renamed, why it was renamed, and only to rename it back if they are 100%
sure that the payload is harmless.

We rename the following extensions:

ade adp app asd asf asx bas bat chm cmd com cpl crt dll exe fxp hlp hta hto
inf
ini ins isp jse* lib lnk mdb mde msc msi msp mst ocx pcd pif prg reg scr sct
sh
shb shs sys url vb vbe vbs vcs vxd wmd wms wmz wsc wsf wsh

-d

------------------------------
Dewitt Latimer, Ph.D.
Deputy CIO and Chief Technology Officer
The University of Notre Dame
dewitt () nd edu



----- Original Message -----
From: "Sadler, Connie" <Connie_Sadler () BROWN EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, December 18, 2003 5:26 PM
Subject: [SECURITY] Question re: inbound executable files


Is anyone blocking inbound executable files to help prevent viruses,
etc.?

Connie J. Sadler, CM, CISSP, CISM
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu
PGP Fingerprint: 452A C178 1450 9CE1 3AC1  CC12 956F 2C55 DB94 A9C7
Office: 401-863-7266

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Question re: inbound executable files Sadler, Connie (Dec 18)
- <Possible follow-ups>
- Re: Question re: inbound executable files Brian Reilly (Dec 18)
- Re: Question re: inbound executable files Craig W. Drake (Dec 18)
- Re: Question re: inbound executable files Dewitt Latimer (Dec 18)
- Re: Question re: inbound executable files Christian Grewell (Dec 18)
- Re: Question re: inbound executable files Gary Flynn (Dec 18)
- Re: Question re: inbound executable files Clyde Hoadley (Dec 18)
- Question re: inbound executable files ROBERT MYLES (Dec 18)
- Re: Question re: inbound executable files Tim Lane (Dec 18)
- Re: Question re: inbound executable files Cal Frye (Dec 19)