Attachments, what to allow and what to block?

Jason Meyer · ‎09-15-2010

I'm being asked to review our policy on what attachments we block at our perimeter with our IronPort appliances. We currently block the following attachments (bas|bat|cmd|com|cpl|exe|hta|inf|ins|isp|js|jse|lnk|msc|msi|msp|mst|pif|reg|scr|sct|shb|shs|url|vb|vbe|vbs|wsc|wsh|wma|wmf|test) by filename contains.

Are there any standards or 'best practices' guidelines for what I should block?

Are the anti-virus filters good enough today to not have to block by attachment extension name anymore? Just asking.

Jason

Andreas Mueller · ‎09-16-2010

Hello Jason,

last question first, the virus scanners, no matter if you use McAfee or Sophos, basically do know about all common filetypes today, so unlike a file is password protected, any virus or trojan will be found. Even if the sender renamed the extension to something "harmless", as the scanners do not care about file name and extensions. So to answer your first question, it's all about the policies you have in your organisation, and thus there are no best practices around. I.e. most companies do not allow executables at all, or multimedia files as they are most likely not business related. So that's why apart from blocking extensions you also have the possibilities to block filetypes or groups of filetypes - the advantage of blocking a filetype instead an extension is that the filter looks for the actual type, no matter what the file name + extension says. That would be the only suggestion I'd give, looking at your list of extensions I'd say it's pretty much covered by the filtypes "executables" and "media", except for the URL and VB script, where an additional condition looking for the extension would make sense.

Hope that helps,

Regards, Andreas