Files extensions blocked by default by GFI or Outlook

Posted on 2006-04-04
Last Modified: 2013-12-04
We have 2 levels of attachement checking. The first is at server level using GFI Security Essentials. It has a default list of blocked extensions. The second level is at the workstation level with Outlook 2003 since it also has a list of extensions it blocks by default. (And yes, I know I can do a registry entry, etc. to modify Outlook to "unblock" one or more file extensions - that is not my question).
I took both lists (GFI and Outlook) and compared them to each other. Most of the extensions one one list are matched by the other and I'm making the assumption that if both agree, then there's a pretty good reason why those extensions are blocked. (May be an incorrect assumption but I have to start somewhere!). Anyway, I am left with a short list of extensions that are blocked by only GFI or only by Outlook.

Here's the lists:
Blocked by GFI only (default settings):
.wmd      Windows Media Download Package
.wmv      Windows Media Video
.wmz      Compressed Windows Media Player Skin
.asf      Advanced Systems Format (media format developed by Microsoft)

Blocked by Outlook only (default settings):
.mdz      Microsoft Access wizard program
.mda      Microsoft Access add-in program
.asx      Windows Media Audio / Video shortcut
.prf      Microsoft Outlook Profile Settings
.scf      Windows Explorer Command

Finally, my questions: Can anyone tell me why each of these extensions would be blocked by default? How likely is it that a typical user would receive any of these for legitimate reasons (i.e. not a virus/trojan/malware of any kind)? I think the one that bothers my users most is the .wmv video files (and possibly .wmd - not sure if these are also video files?) At the moment, these types of files (GFI list) are simply deleted. I do have the option for quarantining the files and forwarding to the user after checking them...however, I have no idea what I would check for and how would I know if it's safe to forward to the user? Granted, most of these types of files are junk that probably shouldn't be coming to their business email but some of the users complaining are higher up management so I need to be able to respond appropriately.
I appreciate any help.
Question by:gela923
    LVL 9

    Accepted Solution

    Well, i can't give you precise answers, but i can do some thinking for you from what i know.

    For GFI,
    The powers to embed malicious code are significant, i once downloaded a video that had a shortcut imbedded into the video and everytime i played it when i got to a certain point in the movie, my internet browser opened to a page.  Now, to me, that's pretty you are watching for 2.5 min and all of a sudden your IE window just pops up, and who knows what kind of scripts and trojans will be located on that page.  That's some of the dangers of the media types, wmv, asf, and asx.  This isn't very likely, not very common, and in general not seen unless you're downloading illegal content.  The skin, well, here again, a skin probably isn't dangerous, but there isn't really any garuntee, i would associate this with the fact that it is possibly a common extension used to hide viruses, like the scr extention to make you think it's a screen saver.  Also, not very common if not unseen.  The download package, i've never seen that extention, i'm guessing it's used for updates or as a false extention for trojans.

    For Outlook,
    Well, i ask myself, what doesn't outlook block?  Anyways the Access is obvious, mdz and mda are going to be macros, and as macros can be macro viruses.  There is legitimate reason to unblock them if your workers use Access alot and are spitting databases back and forth via email.  prf, this is only logical, there really shouldn't be any reason that you're sending your outlook settings to someone else, if you're getting an email with someone else's settings, something is up.  And scf, well it's a type of executable, always dangerous.  All of these i'd call uncommon.

    In general, bad stuff is being sent in a few ways, zip's, rar's, scr's, exe's, and i say this lightly, any other extension.  We must always remember that XP allows for static extension changes, but reads headers dynamically.  This means, if i have test.txt i can go to explorer and rename it test.doc and even though i made it in notepad, it's now a word document, now depending on which extensions i change to what, will determine which program opens it, in this case, word will open as we expect and will most likely crash or give really messy interpretations of it.  However, and i use this hypothetically cause i don't know if this case actually works, but i do know this is the case for some extension switches, if i take an exe and change it to an html and open it, IE pops up to open the webpage, IE reads the headers says, "hey this isn't a webpage" and shifts control to the OS where it says this is an EXE and runs the program accordingly, this is the dynamic reading of the headers i was talking about.  And for a trojan attack this kind of secrecy is perfect.  Not common, but can and does happen.

    Summerizing, there are good reasons why, though they may not make reasonable sense, but someone said, "we should block this just in case."  It's the admins job to evaluate each risk accordingly and edit the list accordingly.

    Author Comment

    I appreciate your response and especially your detailed comments; this is exactly the sort of thing I needed. I think I can go forward and make a decision from here so I will go ahead and close the question.
    Thanks again!

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now