Blocking swf games hidden inside Office documents

By Greg ·
Our students have taken to creating Word, PPT and even Excel documents containing between 20 and 30 .swf games in order to bypass the school firewall. They give them names like Homework.doc or English.ppt. The result is disruptive to their (and other students') learning. Does anyone know how we can deactivate them on a system-wide basis, or at least make them easier to track down.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Group Policy?

by LarryD4 In reply to Blocking swf games hidden ...

I think you could block the file extension in GroupPolicy from executing. We do it with <filename>.exe to block users from playing specific games like sol.exe...

I'm just not to sure if it would apply to a flash game..

Its under user configuration and its an admin template that allows you to define what applications users are not allowed to run.

Collapse -

Thanks but..

by Greg In reply to Group Policy?

Hi Larry,
Thanks, but the kids actually have to create flash files as part of their coursework so we can't do a blanket block. However there's no other reason for swf's to be #inside# word etc docs, that I can think of, other than to hide illegitimate files (games) and that's the current goal. Make them findable/removable in this context.
Thanks for trying.

Collapse -

Not sure how to block , but ...

by Bizzo In reply to Blocking swf games hidden ...

If you want to search for office files that contain swf objects, then you could use the "FIND" command, and search for the string "CONTROL ShockwaveFlash.ShockwaveFlash", eg.

find /N /I /OFF "CONTROL Shockwaveflash.shockwaveflash" *.doc

this will find all *.doc files that have embedded swf objects.

I know it's not exactly what you want, but you may be able to adapt it somehow.

Collapse -

Re. Blocking swf games hidden inside Office documents

This site might give you more info on how to block SWF files.

Solution Path:

Because researchers first found this vulnerability being exploited in the wild, Adobe has not had time to release a patch for Flash Player. Until they do, the following workarounds will mitigate the risk of this new exploit affecting your users:

* Internet Explorer (IE) users can set the killbit for Adobe?s Flash Player. This prevents IE from playing any Flash content with the Adobe Flash Player. Bear in mind that this also prevents legitimate Flash content from playing. Refer to this Microsoft Knowledge Base article for more details on how to set a killbit. Flash Player?s CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36:

* Firefox users should install the NoScript extension. NoScript prevents web sites from running JavaScript, Java, Flash, or other executable web content by default. While NoScript does prevent legitimate web sites from executing scripts as well, you can easily add those trusted sites to your white list to allow them to run the content you need.
* Use a gateway device, like WatchGuard?s Firebox products, to block .SWF files from entering your network. See below for more details.

For All WatchGuard Users:

Some of WatchGuard?s Firebox:
models allow you to prevent your users from accessing Shockwave Flash files (.SWF) via the web (HTTP) or emails (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox?s proxy services (video instructions below). Again, many web sites rely on Flash for interactive content, and blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique may render many video web sites unusable. Nonetheless, with the severity of this zero day exploit, you may want to temporarily block all .SWF content until Adobe releases a patch.
More here:

Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks.

Collapse -

Thanks but...

by Greg In reply to Re. Blocking swf games hi ...

Thanks for the positive response Peconet, but our students do create swf files as part of their coursework - we even run a course where they can learn to write a simple flash game (not such IT Nazis after all Mr Clyde) - so we can't disable flash altogether. And there are so many websites (really good educational ones) that we can't go that route either. It's just - blocking (or at least tracing) swf files INSIDE documents. When you find a ppt file with thirty games inside you know you have found someone for whom learning is not a priority... :-(

Collapse -

You are missing a learning opportunity

by jdclyde In reply to Blocking swf games hidden ...

They have learned to do something, in an effort to express themselves.

If the games are not played until after class work is done, it is not disruption, nor a distraction.

Stop and think what the real reason you have a job in IT for. Is it to play IT Nazi or to give a save and secure environment for people to learn something? If people get rewarded for doing well, use it as an incentive.

Back in geometry class, my instructor allowed you to do as you pleased, as long as you kept a straight "B" or higher. If you dropped lower, you had to start paying attention to lectures and do homework.

We sat in the back of class playing cards as a reward for performing well.

You could learn a lesson.

Collapse -


by LarryD4 In reply to You are missing a learnin ...

Something tells me you've never been an admin or Tech Manager in a Technology learning institution.

Their are always the good kids you want reward and their are always the bad kids who ruin it for the rest. Resulting in you taking steps like the one were talking about.

Shouldn't have used the word "bad", no kid is "bad". But I was one of those kids that hosed up the schools "training" mainframe for the day.

Collapse -

Actually, I have

by jdclyde In reply to heh

I was a tech for a local college for a while, and then a very good friend was there for a few years.

The key is how to let them play, while having everything revert back to normal.

Booting to a network image or hidden image that is locked down always is a good way to go. They can do as they please, but reboot the system and it is back how it was.

In this case, we are talking kids playing a game locally. It isn't a drain on the network like videos or on-line games would be, so it is just a way of enforcing a rule "just because".

If it really WERE a disruption to the class, the instructor should be able to notice said disruption and manage their class appropriately.

I am not a fan of lazy people trying to use computer controls to enforce behavior.

Collapse -

Heh ok ok

by LarryD4 In reply to Actually, I have

I hear ya loud and clear but its still a needed requirement, that any learing environment needs to be controlled.

Case in point, I'm in school learning JCL/Cobol/CICS and I'm tryin to find a way to monitor the percentage of job completion on the schools mainframe, which apparently had a channel dedicated to running the schools app.

So I wrote a job that takes snapshots of the jobs running in each channel and then updates my job letting it no how far along in the JCL it is. Problem was I didn't control the snapshot itself and within 10 minutes I had seized the frame and all jobs running. Only way around it literally was a complete shutdown.

Thats the type of stuff you have to protect. Don't give the learning techies complete access to all avenues and resources until that specific person proves their ability, knowledge, and your confident in what they can do.

Then again they shoudn't have had production on the same mainframe that we were writing and testing jobs.

Live and learn! :0

Related Discussions

Related Forums