[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] new virus (?)
Thanks for that link to the list of MIME types.. I'm rather new to MIME types - am I right in thinking thatapplication/octet-stream applies to .exe files as well? Are there any other MIME types worth filtering? TIA. Tom. > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Jill > Samples > Sent: 05 December 2001 19:12 > To: [email protected] > Subject: Re: [FW-1] new virus (?) > > > Here is a list of valid MIME types, if that is what you are looking for... > > http://www.isi.edu/in-notes/iana/assignments/media-types/media-types > > FYI: gone.scr is MIME type application/octet-stream > > > > >>> [email protected] 12/05/01 01:23PM >>> > Where might I look for a list of the file types to block? > > > -----Original Message----- > > From: Colmer, Philip [SMTP:[email protected]] > > Sent: Wednesday, December 05, 2001 1:36 AM > > To: [email protected] > > Subject: Re: [FW-1] new virus (?) > > > > > We just got hit hard with emails with "Subject: Hi" and an > > > attachment named "gone.scr". has anyone else seen this? > > > What is the procedure for blocking an email based on the > > > subject at the firewall? > > > > You cannot block based on a subject with the firewall. > > > > What you can do is create an SMTP Security Server resource and > use that to > > strip out the attachments, either based on the MIME encoding type > > (pre-SP3) > > or on the extension type (SP3 and later). > > > > To do this: > > > > 1. Create an SMTP resource. If all you are wanting to do is strip bad > > attachments, just give it a name and put the IP address of the > destination > > SMTP server in. You can also use this resource to ensure that incoming > > email > > matches your email domains - useful for preventing relaying through your > > email server. > > > > 2. Set up a rule that ensures that all email intended for your email > > server > > goes against the resource. To do this, where it would normally > say "SMTP" > > as > > the service, remove this and add the resource instead. Pick > SMTP and then > > pick the resource from the list. > > > > 3. Once you've set up the policy, go to the firewall. Find the objects.C > > file. Edit the file and look for the definition of the SMTP resource > > you've > > just created. Add the following to the end of the definition: > > > > : (forbiddenfiles > > : ("{*.scr}") > > ) > > > > Save the file and re-implement the policy. > > > > What happens is that any attempt to connect to your email server for the > > purposes of SMTP gets intercepted by the firewall. It then > strips out any > > attachment that has an extension that matches the list above - you can > > have > > comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}"). > > > > We've implemented the above ".scr" list for now, but we'll shortly be > > expanding it to include all of the filetypes that Outlook now blocks. > > > > Implementing this has two benefits: > > > > 1. It stops the filetypes even hitting the mail server, thus > reducing the > > amount of work that the anti-virus software has to do. > > > > 2. It ensures that new viruses get stripped out, regardless of > whether or > > not the AV software knows about it ... which it didn't for the new > > gone.scr > > virus. > > > > Hope that helps. > > > > --Philip > > > > -- > > Philip Colmer MBCS CEng Tel: 01223 271223 > > I.T. Manager Fax: 01223 215513 > > ProQuest Information & Learning > > The Quorum, Barnwell Road, Cambridge, CB5 8SW > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|