Files extensions blocked by default by GFI or Outlook

Hi
We have 2 levels of attachement checking. The first is at server level using GFI Security Essentials. It has a default list of blocked extensions. The second level is at the workstation level with Outlook 2003 since it also has a list of extensions it blocks by default. (And yes, I know I can do a registry entry, etc. to modify Outlook to "unblock" one or more file extensions - that is not my question).
I took both lists (GFI and Outlook) and compared them to each other. Most of the extensions one one list are matched by the other and I'm making the assumption that if both agree, then there's a pretty good reason why those extensions are blocked. (May be an incorrect assumption but I have to start somewhere!). Anyway, I am left with a short list of extensions that are blocked by only GFI or only by Outlook.

Here's the lists:
Blocked by GFI only (default settings):
.wmd      Windows Media Download Package
.wmv      Windows Media Video
.wmz      Compressed Windows Media Player Skin
.asf      Advanced Systems Format (media format developed by Microsoft)

Blocked by Outlook only (default settings):
.mdz      Microsoft Access wizard program
.mda      Microsoft Access add-in program
.asx      Windows Media Audio / Video shortcut
.prf      Microsoft Outlook Profile Settings
.scf      Windows Explorer Command

Finally, my questions: Can anyone tell me why each of these extensions would be blocked by default? How likely is it that a typical user would receive any of these for legitimate reasons (i.e. not a virus/trojan/malware of any kind)? I think the one that bothers my users most is the .wmv video files (and possibly .wmd - not sure if these are also video files?) At the moment, these types of files (GFI list) are simply deleted. I do have the option for quarantining the files and forwarding to the user after checking them...however, I have no idea what I would check for and how would I know if it's safe to forward to the user? Granted, most of these types of files are junk that probably shouldn't be coming to their business email but some of the users complaining are higher up management so I need to be able to respond appropriately.
I appreciate any help.
Thanks!
gela923Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

maninblac1Commented:
Well, i can't give you precise answers, but i can do some thinking for you from what i know.

For GFI,
The powers to embed malicious code are significant, i once downloaded a video that had a shortcut imbedded into the video and everytime i played it when i got to a certain point in the movie, my internet browser opened to a page.  Now, to me, that's pretty dangerous...here you are watching for 2.5 min and all of a sudden your IE window just pops up, and who knows what kind of scripts and trojans will be located on that page.  That's some of the dangers of the media types, wmv, asf, and asx.  This isn't very likely, not very common, and in general not seen unless you're downloading illegal content.  The skin, well, here again, a skin probably isn't dangerous, but there isn't really any garuntee, i would associate this with the fact that it is possibly a common extension used to hide viruses, like the scr extention to make you think it's a screen saver.  Also, not very common if not unseen.  The download package, i've never seen that extention, i'm guessing it's used for updates or as a false extention for trojans.

For Outlook,
Well, i ask myself, what doesn't outlook block?  Anyways the Access is obvious, mdz and mda are going to be macros, and as macros can be macro viruses.  There is legitimate reason to unblock them if your workers use Access alot and are spitting databases back and forth via email.  prf, this is only logical, there really shouldn't be any reason that you're sending your outlook settings to someone else, if you're getting an email with someone else's settings, something is up.  And scf, well it's a type of executable, always dangerous.  All of these i'd call uncommon.

In general, bad stuff is being sent in a few ways, zip's, rar's, scr's, exe's, and i say this lightly, any other extension.  We must always remember that XP allows for static extension changes, but reads headers dynamically.  This means, if i have test.txt i can go to explorer and rename it test.doc and even though i made it in notepad, it's now a word document, now depending on which extensions i change to what, will determine which program opens it, in this case, word will open as we expect and will most likely crash or give really messy interpretations of it.  However, and i use this hypothetically cause i don't know if this case actually works, but i do know this is the case for some extension switches, if i take an exe and change it to an html and open it, IE pops up to open the webpage, IE reads the headers says, "hey this isn't a webpage" and shifts control to the OS where it says this is an EXE and runs the program accordingly, this is the dynamic reading of the headers i was talking about.  And for a trojan attack this kind of secrecy is perfect.  Not common, but can and does happen.

Summerizing, there are good reasons why, though they may not make reasonable sense, but someone said, "we should block this just in case."  It's the admins job to evaluate each risk accordingly and edit the list accordingly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gela923Author Commented:
maninblac1
I appreciate your response and especially your detailed comments; this is exactly the sort of thing I needed. I think I can go forward and make a decision from here so I will go ahead and close the question.
Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.