General discussion

Locked

Extension Blocking, The Debate

By LordInfidel ·
I am opening up this debate in order to field people's views on this.

Over the past several months since I have begun sharing my views about
extension blocking. I have received lot's of e-mail from people asking
me about extension blocking.I also have been critizied for advocating my view from other admins.
Admins who I would of have thought would be open and supporting to the idea.

When I made the decision 2 years ago to begin blocking extensions at the mail gateway.
It was to prevent my end users to receiving vbs scripts. I noticed that my end users
could not be trusted on their own to not execute the attachment. I also noticed that the
various AV products out there were not picking up the viruses.

Now what I am advocating is not new. I did not come up with the idea, nor was I the first
admin to employ such a tactic.

I am however one of it's most vocal advocates.

I have always sworn by the old adage, "Burn me once, shame on you, Burn me twice, shame onme."

As admins and IT professionals, if we do not learn from the past and from our mistakes, then how will
we ever learn at all.

So with those points in mind. I will now open the floor to debate.

Feel free to disagree with me and discussthe finer points of security.

I do urge people that before blasting another person on this debate. Be certain who you are blasting.
Read their profile. Look over some of their other posts. We are all reasonable people here, there is no
need for mud slinging.

This conversation is currently closed to new comments.

35 total posts (Page 2 of 4)   Prev   01 | 02 | 03 | 04   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

My Two Cents...

by mrafrohead In reply to Let me try

I think that extension blocking is a fine practise and actually a smart one at that...

One thing to keep in mind.

Scenario: You notice a virus that just infected your network and now e-mails are being sent to all users on your network. These are malicious e-mails that are trying to infect other users. So to be proactive in the matter you begin a Virus Definition update to catch the virus in it's tracks and immediately send out a notice to all users to NOT open up the e-mail due to the fact that it contains a virus.

Then guess what happens. As always, EVERY single time, you get about one hundred phone calls of people that opened the e-mail and infected their computer AFTER they read your e-mail stating not to open the infected one.

Unfortunately the end users can't generally be trusted in this kind of matter. They aren't the ones that have to go around to every single site and clean the computers and try to restore them back to their original states either.

As for me... At home, I have extension blocking set up for my Antivirus E-mail scanning and also in Outlook. I figure with all of the malicious messages that I receive in a week and the fact of all of the TIME and money that I have spent on my computerat home, I'm not going to take a chance of someone sending me something bad and even let it into my computer... The people that are sending me files or are going to, I make sure that I let them know to rename the extension to something that will not self execute or cant execute and then I rename it once I receive it and scan it...

But that's just me and this is just my two cents.

I hope that it helps

mrafrohead
mrafrohead@yahoo.com

Collapse -

In that scenario..

by LordInfidel In reply to My Two Cents...

This is where having a strong emergency policy comes into play.

My standing policy when a virus has sucessfully entered, infected and is propagating thru my network.

1. Turn off the IMS at my Mail server (exchange), this prevents any mail fromleaving or entering my network.

2. Immediate shutdown of all Network file servers.

3. All users are too immediately close down their outlook clients.

4. My staff then begins to go around and physically removes any infected machines from thenetwork.

5. Using a grep style utility,(yes there is one for exchange) I scan all mailboxes for the keywords of the infected e-mail and delete it, permamently, from the IS (information store).

6. Research the virus and remove any infected files from the file servers. Regardless of what the infected file was. It is permamently deleted and recorded as to it's location.

7. Once the network has been disinfected, I begin to reopen mail services and allow people to reconnect to the file servers.

8.Finally we disenfect any infected client machines.

Fortunately, since we have employed extension blocking, I have not had to employ the disaster plan. Before extension blocking I had to employ it at least once a month.

Collapse -

I agree with VBS blocking

by TomSal In reply to Extension Blocking, The D ...

I too, as a matter of fact quite recently, have started blocking .VBS extensions at the gateway.

I agree with your theory 100%. You can't trust your users. I have found, and I don't think my end users are the only ones like this, that end users will ALWAYS chose the path of least resistance (effort).

For this reason I automate as much as possible and let the software do the work. That's why I have content scanning in place (because employees are too lazy to watch their language in corporate emails at times), I have extension blocking (because they are too lazy to listen to our email policies), and I have automated backups on certain computers (like the HR managers and the Accounting managers) - because they are not disciplined enoughto backup their critical files.

And to think that some entry level/newbie admins think all we do is install Windows on client computers all day.

later.

Collapse -

Attachment Blocking - A saviour!

by Bremmerz In reply to Extension Blocking, The D ...

I agree completely with attachment blocking. By blocking certain files at our mailgate (namely .exe, .bat, .com, .pif, .scr, .vbs + more) we've managed to thwart all potential infections since Melissa. Actually, Nimda did slip through the net but we where infected from the WAN to our parent company, not through our mailgate.

A lot of companies are hot at picking up on virus's and renewing their .dats as soon as they can. The problem is, they must know about the virus first in order to combat it, and the way they normally find out is when it hits the wild. Attachment blocking in this case is an excellent first line of defense as the virus can't get through even when your AV can't detect it.

Also, users can't be trusted not to open attachments. No matter how many times you tell them, there will always be some numpty who will open it. If it wasn't for attachment blocking, I think a lot more people would have been hit by Badtrans.b as the payload was started just from reading the e-mail (even in Outlooks preview pane the attachment was run).

Attachment blocking also has other bonuses. We receive around 30 .exes a day that are blocked. Of these, maybe 2 at the most will be work related, the rest are games. We're happy to take any work related files out of quarantine for the users, but you can imagine our response when a user asks us to get a game out of quarantine for them!!! If the games did get through, you can pretty much guarantee that these files will bestored somewhere on the network, whether it's a server share or in the mailbox these files take up storage space, which in turn is costing the company money to maintain and backup.

That's me done! ;o)

Collapse -

Definitely, but...

by jagma_ In reply to Extension Blocking, The D ...

I am all for extension blocking, from vbs to exe, but there is on small problem.

Some admins get a bit carried away with this task, and don't think of what they could be blocking in the future. I know one company that installed a email scanner, and set the language blocking to the maximum levels that they could. Of course, what nobody realized is that their company name could be interpreted by the program as being derogative, and therefore for the next couple of days not a single email came in to the company (sorry, can't mention the name ). All because the admin didn't think. A lot of planning should go into this sort of project.

A company cannot run without certain things, like firewalls and AV, but now email scanning/management software is becoming critical, even things such as email size blocking is becoming crucial.

Just think, the more admins who do this part of the job properly will help to lower the amount of viruses spreading to the rest of us. Not one single virus has passed into or out of my domain since I implemented all of these necessary things, and I think that all admins worth their salt will do whatever is necessary to ensure that they are a part of the solution, and not aiding the problem.

Collapse -

I heard a similar story

by Bremmerz In reply to Definitely, but...

An article I read in Network News a couple of weeks ago made me chuckle. Scunthorpe County Council (in England) recently installed a mailscanner and used it to block profanities among other things.

Their mail domain is something like scunthorpecc.gov.uk, and they couldn't figure out why no-one was receiving any e-mail for a couple of days. Finally one bright spark figured it out ;o)

This has also led me to believe that none of the system admins there support Scunthorpe United football (that's soccer for those over the pond) team. A common song that emits from the Nationwide Division terraces when Scunthorpe play away is "Who put the &*^% in scunthorpe).

Collapse -

I am Reminded of a Story...(or 2)

by eBob In reply to Definitely, but...

Back in the olden days, before the Web was popular, and most "netizens" were connected through Compuserve (remember them?) and AOL, there was some attempt to "civilize" the available content.

AOL really lead the charge, in an attempt to make their offering more "consumer accessible". So they built filters. They loaded their filters with words that represented potentially risque content.

The result was that AOL users couldn't do research on "breast" cancer, or even look up a recipe for barbecued "breast" of chicken.

Ooops.

Similar issues involve filtering email attachments.

At my last place of employment the email admin started blocking .VBS attachments. The one and only VB scripter in the company (15,000 users, 18 sites world-wide, and only one VB scripter - it's true) raised his concern that now he couldn't transfer his scripts.

"You're an IT 'professional', and you can't figure out a workaround, for yourself (the one an only VB scripter)?", we all asked (with very little patience for this KNOB).

"Duh, like what?"

"Oh, perhaps rename the extension to '.VB_'. Or maybe use something other than email to move your scripts."

"Duh, like what?"

"Ever hear of 'FTP'?"

Collapse -

Users we dread

by D. Brock In reply to I am Reminded of a Story. ...

Sounds like my experience with many of these HTML wonders, the so called "Webmasters" who don't seem to know the first thing about computers and networks, yet they think they are so great because they can code HTML, and they think they are actually programming! Not all webmasters are in this category, I've done my own work in that field, but their are enough of these half-wits around to get really annoying.

I found that their are three types of users that we must deal with:

1) Those who don't know anything about computers and realize this. They can be annoying at times but usually don't cause too many real problems because they are too scared of breaking something.

2) Those who don't know anything about computers but don't realizeit. These are of the "Enough knowledge to be dangerous but not enough to be useful" type.

3) Those who know what they are doing and rarely do something really stupid.

Group two is the worst, and seem to cause about 95% + of my headaches. Thosecomputer "Wizards" who impress their friends because they have read two pages more than anyone else in the latest Dummies book. They seem to be the most know-it-all and condiscending as well. Too bad they don't know 10% of what they think they do, or my life would be A LOT easier.

That's my soap box time. :)

Collapse -

Exactly....

by LordInfidel In reply to Definitely, but...

Extension blocking does take some planning.

For example, even though I block roughly 50+ extenstions. It would be stupid of e-mail to block doc, xls, dbf etc. Why, because viruses that are in these sort of docs are macro's

With most AV scanners that do extension blocking you can simply strip out the macro's. Or scan the macro for heuristics.

I did however block pdf's. Why you ask? It was determined about 3 months ago that it was possible to insert maliscious code inside a pdf thatwhen the user click on a link inside the pdf would cause it to execute.

Well that's not that bad you might think. The problem is 2 fold, 1 AV scanners can not scan PDF's, and 2 as we all know users are idiots and will click on anything that theyreceive.

As far as size blocking. I have always looked at it from several viewpoints.

E-mail should not be used as a file sending mechanism. SMTP is not the right protocol for large files.
Bandwidth is a issue when sending a large file. Especially to a group of people.
Finally, overhead on the mail server itself.

Regardless of your bandwidth and size of mailserver, size limitations is a must have for every mail server.

Collapse -

Someone has to disagree...

by The Chalky In reply to Extension Blocking, The D ...

Perhaps it is because this is a small company that I work for (only 24 users), but the idea of blocking attachments would send my MD (and most probably the other directors) off his head.

Fortunately there is another solution. Our mail virus scanning is outsourced to a company called MessageLabs and we get regular reports on the viruses that are sent to us - and intercepted by them!

They even offer us a 100% guarantee that we will not get infected via an email virus.

No doubt most of you guys work in IT departments, but for the smaller organisations where I am the only IT person, there really isn't the time to look at this issue when such a simple solution exists.

Carry on blocking if you wish, but I prefer to allow this optionwhich quarantines anything that they find suspicious and allows us to continue accepting all the normal attachments that are available to us.

As a final note, nobody else here would know what vbs meant! Whilst this is a clear reason for blocking, MessageLabs have stopped every malicious virus so far.

Even managed to disagree without being personal! How's that?

Back to IT Employment Forum
35 total posts (Page 2 of 4)   Prev   01 | 02 | 03 | 04   Next

Related Discussions

Related Forums