?
Solved

Files extensions blocked by default by GFI or Outlook

Posted on 2006-04-04
2
Medium Priority
?
630 Views
Last Modified: 2013-12-04
Hi
We have 2 levels of attachement checking. The first is at server level using GFI Security Essentials. It has a default list of blocked extensions. The second level is at the workstation level with Outlook 2003 since it also has a list of extensions it blocks by default. (And yes, I know I can do a registry entry, etc. to modify Outlook to "unblock" one or more file extensions - that is not my question).
I took both lists (GFI and Outlook) and compared them to each other. Most of the extensions one one list are matched by the other and I'm making the assumption that if both agree, then there's a pretty good reason why those extensions are blocked. (May be an incorrect assumption but I have to start somewhere!). Anyway, I am left with a short list of extensions that are blocked by only GFI or only by Outlook.

Here's the lists:
Blocked by GFI only (default settings):
.wmd      Windows Media Download Package
.wmv      Windows Media Video
.wmz      Compressed Windows Media Player Skin
.asf      Advanced Systems Format (media format developed by Microsoft)

Blocked by Outlook only (default settings):
.mdz      Microsoft Access wizard program
.mda      Microsoft Access add-in program
.asx      Windows Media Audio / Video shortcut
.prf      Microsoft Outlook Profile Settings
.scf      Windows Explorer Command

Finally, my questions: Can anyone tell me why each of these extensions would be blocked by default? How likely is it that a typical user would receive any of these for legitimate reasons (i.e. not a virus/trojan/malware of any kind)? I think the one that bothers my users most is the .wmv video files (and possibly .wmd - not sure if these are also video files?) At the moment, these types of files (GFI list) are simply deleted. I do have the option for quarantining the files and forwarding to the user after checking them...however, I have no idea what I would check for and how would I know if it's safe to forward to the user? Granted, most of these types of files are junk that probably shouldn't be coming to their business email but some of the users complaining are higher up management so I need to be able to respond appropriately.
I appreciate any help.
Thanks!
0
Comment
Question by:gela923
2 Comments
 
LVL 9

Accepted Solution

by:
maninblac1 earned 2000 total points
ID: 16378508
Well, i can't give you precise answers, but i can do some thinking for you from what i know.

For GFI,
The powers to embed malicious code are significant, i once downloaded a video that had a shortcut imbedded into the video and everytime i played it when i got to a certain point in the movie, my internet browser opened to a page.  Now, to me, that's pretty dangerous...here you are watching for 2.5 min and all of a sudden your IE window just pops up, and who knows what kind of scripts and trojans will be located on that page.  That's some of the dangers of the media types, wmv, asf, and asx.  This isn't very likely, not very common, and in general not seen unless you're downloading illegal content.  The skin, well, here again, a skin probably isn't dangerous, but there isn't really any garuntee, i would associate this with the fact that it is possibly a common extension used to hide viruses, like the scr extention to make you think it's a screen saver.  Also, not very common if not unseen.  The download package, i've never seen that extention, i'm guessing it's used for updates or as a false extention for trojans.

For Outlook,
Well, i ask myself, what doesn't outlook block?  Anyways the Access is obvious, mdz and mda are going to be macros, and as macros can be macro viruses.  There is legitimate reason to unblock them if your workers use Access alot and are spitting databases back and forth via email.  prf, this is only logical, there really shouldn't be any reason that you're sending your outlook settings to someone else, if you're getting an email with someone else's settings, something is up.  And scf, well it's a type of executable, always dangerous.  All of these i'd call uncommon.

In general, bad stuff is being sent in a few ways, zip's, rar's, scr's, exe's, and i say this lightly, any other extension.  We must always remember that XP allows for static extension changes, but reads headers dynamically.  This means, if i have test.txt i can go to explorer and rename it test.doc and even though i made it in notepad, it's now a word document, now depending on which extensions i change to what, will determine which program opens it, in this case, word will open as we expect and will most likely crash or give really messy interpretations of it.  However, and i use this hypothetically cause i don't know if this case actually works, but i do know this is the case for some extension switches, if i take an exe and change it to an html and open it, IE pops up to open the webpage, IE reads the headers says, "hey this isn't a webpage" and shifts control to the OS where it says this is an EXE and runs the program accordingly, this is the dynamic reading of the headers i was talking about.  And for a trojan attack this kind of secrecy is perfect.  Not common, but can and does happen.

Summerizing, there are good reasons why, though they may not make reasonable sense, but someone said, "we should block this just in case."  It's the admins job to evaluate each risk accordingly and edit the list accordingly.
0
 

Author Comment

by:gela923
ID: 16385808
maninblac1
I appreciate your response and especially your detailed comments; this is exactly the sort of thing I needed. I think I can go forward and make a decision from here so I will go ahead and close the question.
Thanks again!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question