Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)

To: [email protected]
Subject: Re: [FW-1] new virus (?)
From: Tom Knight <[email protected]>
Date: Thu, 6 Dec 2001 09:24:25 -0000
Importance: Normal
In-reply-to: <sc0e2b58.045@sfld_smtp01.donerus.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Thanks for that link to the list of MIME types..

I'm rather new to MIME types - am I right in thinking
thatapplication/octet-stream applies to .exe files as well? Are there any
other MIME types worth filtering?

TIA.

Tom.

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Jill
> Samples
> Sent: 05 December 2001 19:12
> To: [email protected]
> Subject: Re: [FW-1] new virus (?)
>
>
> Here is a list of valid MIME types, if that is what you are looking for...
>
> http://www.isi.edu/in-notes/iana/assignments/media-types/media-types
>
> FYI:   gone.scr is MIME type application/octet-stream
>
>
>
> >>> [email protected] 12/05/01 01:23PM >>>
> Where might I look for a list of the file types to block?
>
> > -----Original Message-----
> > From: Colmer, Philip [SMTP:[email protected]]
> > Sent: Wednesday, December 05, 2001 1:36 AM
> > To:   [email protected]
> > Subject:      Re: [FW-1] new virus (?)
> >
> > > We just got hit hard with emails with "Subject: Hi" and an
> > > attachment named "gone.scr".  has anyone else seen this?
> > > What is the procedure for blocking an email based on the
> > > subject at the firewall?
> >
> > You cannot block based on a subject with the firewall.
> >
> > What you can do is create an SMTP Security Server resource and
> use that to
> > strip out the attachments, either based on the MIME encoding type
> > (pre-SP3)
> > or on the extension type (SP3 and later).
> >
> > To do this:
> >
> > 1. Create an SMTP resource. If all you are wanting to do is strip bad
> > attachments, just give it a name and put the IP address of the
> destination
> > SMTP server in. You can also use this resource to ensure that incoming
> > email
> > matches your email domains - useful for preventing relaying through your
> > email server.
> >
> > 2. Set up a rule that ensures that all email intended for your email
> > server
> > goes against the resource. To do this, where it would normally
> say "SMTP"
> > as
> > the service, remove this and add the resource instead. Pick
> SMTP and then
> > pick the resource from the list.
> >
> > 3. Once you've set up the policy, go to the firewall. Find the objects.C
> > file. Edit the file and look for the definition of the SMTP resource
> > you've
> > just created. Add the following to the end of the definition:
> >
> > : (forbiddenfiles
> >   : ("{*.scr}")
> > )
> >
> > Save the file and re-implement the policy.
> >
> > What happens is that any attempt to connect to your email server for the
> > purposes of SMTP gets intercepted by the firewall. It then
> strips out any
> > attachment that has an extension that matches the list above - you can
> > have
> > comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}").
> >
> > We've implemented the above ".scr" list for now, but we'll shortly be
> > expanding it to include all of the filetypes that Outlook now blocks.
> >
> > Implementing this has two benefits:
> >
> > 1. It stops the filetypes even hitting the mail server, thus
> reducing the
> > amount of work that the anti-virus software has to do.
> >
> > 2. It ensures that new viruses get stripped out, regardless of
> whether or
> > not the AV software knows about it ... which it didn't for the new
> > gone.scr
> > virus.
> >
> > Hope that helps.
> >
> > --Philip
> >
> > --
> > Philip Colmer MBCS CEng                 Tel: 01223 271223
> > I.T. Manager                            Fax: 01223 215513
> > ProQuest Information & Learning
> > The Quorum, Barnwell Road, Cambridge, CB5 8SW
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

References:
- Re: [FW-1] new virus (?)
  - From: Jill Samples <[email protected]>

Prev by Date: Re: [FW-1] Anyone seen ICMP Type 38 / Code 37 ???
Next by Date: Re: [FW-1] new virus (?)
Previous by thread: Re: [FW-1] new virus (?)
Next by thread: Re: [FW-1] new virus (?)
Index(es):
- Date
- Thread