Network Security: Detailed info on Re: 543.rar attachment

Subject:	Re: 543.rar attachment
Date:	Wed, 16 Mar 2005 11:08:55 +0400

there is no right or wrong answer for a policy on email attachments. every organization needs to evaluate the benefits and weighted against the risk for such a service. email attachments is a requirements for email service. if a company needs email service for its business operations it doesn't make sense to block attachments. there are many ways to control the attachments and scan them for harmfully/ infected content. it depends on the how much control you need ( justified by risk / benefit analysis) there are technical solutions that can be applied on the mail gateway ( spam control , anti virus) and on the desktop ( anti virus, desktop security control policy , etc ..) which if all combined they can reduce the risk mentioned below to an acceptable level. vulnerabilities exist in every system but that doesn't stop us from using them. just remember if you can't handle something then you are the problem!


Jonathan Loh wrote:

Good luck teaching common sense. --- Kinnell <kinnell.t@gmail.com> wrote:
Very true.  However we are not looking to ban people from using e-mail
as a tool to pass important files; we are looking to keep Tim, the new
intern from a near college, from opening a stupid e-mail with a "your
wife knows you watch porn" subject and running a file in there that is
said to keep your wife from finding out.
The problem is between the keyboard and the seat, not so much on the
servers, but if we can't teach the users common sense then we need to
ban all files.  Same goes for so many hot topic items
-Kinnell
On Mon, 14 Mar 2005 22:41:44 -0800 (PST), Jonathan Loh <kj6loh@yahoo.com> wrote:

Ok let's have a reality check. Blocking archive files is easy by just writing a simple filter looking for various extensions. Pruning executable files means you will have to use

that

same filter, open the archive, either extract the whole thing, delete the executables, and repackage the whole thing, or delete the executables in

place.

Everyone can split large application files, or can be taught how, and send

them
to be repackaged.  Ever wonder how TCP and UDP work?
--- David J ONEILL <David.J.Oneill@state.or.us> wrote:
Gee, why not just block ALL email communication.  That would save you
some work too.
Archive files are a necessary part of communication and very beneficial
in saving bandwidth.
Let's have a reality check ....
David J O'Neill
Senior Systems Analyst
State of Oregon
Department of Human Services
Office of Information Services
PH# 503.378.2101 ext. 280
email david.j.oneill@state.or.us
Jonathan Loh <kj6loh@yahoo.com> 03/14/05 02:21PM >>>

Ok that's a solution. But what I want to ask you is this. How much overhead does it take to do this? Blocking archive files would be an easier method with little overhead. Possibly with a reply to sender that your site does not accept archive files. --- Kinnell <kinnell.t@gmail.com> wrote:

On the network I'm a member of we block all exe files sent inside

the
rar or zip, so even if it is sent the file will be 0byted.  Wouldn't
that be a better method?  otherwise if you block all bz2, zip, rar,
etc... then you will block a lot of useful communication
-Kinnell
On Fri, 11 Mar 2005 16:49:16 -0500, adisegna@siscocorp.com <adisegna@siscocorp.com> wrote:

Sean, I have to disagree with you. Any file that that can
encapsulate an

executable file should be blocked (IMO). ZIP files are one of the biggest carriers of malicious content these days. I don't make it

a

habbit of trusting my users no matter how many times they get

trained.

RAR extraction tools are not part of the software image policy on

my
network so users are oblivious to the file blocking. What is your
solution?
Thanks
AD
Information Technology Group
Security Identification Systems Corporation
-----Original Message-----
From: Sean Crawford [mailto:sean01@accnet.com.au]
Sent: Tuesday, March 08, 2005 9:39 PM
To: security-basics@securityfocus.com
Subject: RE: 543.rar attachment
---> -----Original Message-----
---> From: adisegna@siscocorp.com [mailto:adisegna@siscocorp.com]
---> Subject: RE: 543.rar attachment
---> I just recently got the same executable inside .rar. I
extracted

the ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't

find

---> anything (as of 4 days ago). I wasn't about to double click

this

exe on ---> my corporate network. Block the rar extension on your mail

server.
--->
rar is a valid compression format...blocking it isn't a very good
solution.
2 cents.
Sean
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

<Prev in Thread]	Current Thread	[Next in Thread>
RE: 543.rar attachment, (continued) RE: 543.rar attachment, adisegna Re: 543.rar attachment, Kinnell Re: 543.rar attachment, Steven DeFord Re: 543.rar attachment, Jonathan Loh RE: 543.rar attachment, adisegna Re: 543.rar attachment, David J ONEILL RE: 543.rar attachment, Sean Crawford Re: 543.rar attachment, Jonathan Loh Re: 543.rar attachment, Kinnell Re: 543.rar attachment, Jonathan Loh Re: 543.rar attachment, SAMIR SHUKRI <= Re: 543.rar attachment, David J ONEILL Re: 543.rar attachment, Jonathan Loh Re: 543.rar attachment, David J ONEILL Re: 543.rar attachment, Micro Kluge FW: 543.rar attachment, adisegna RE: 543.rar attachment, adisegna

Previous by Date:	RE: Any remote client - without fixed IP, Mike
Next by Date:	RE: Any remote client - without fixed IP, Stephane Auger
Previous by Thread:	Re: 543.rar attachment, Jonathan Loh
Next by Thread:	Re: 543.rar attachment, David J ONEILL
Indexes:	[Date] [Thread] [Top] [All Lists]