Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Filter EXE, .PIF, and .SCR ?? 2
- Thread starter quell
- Start date
As far as I know, you can't. The newer versione of Outlook filter them out, but Exchange 5.5 doesn't filter attachments by type. What anti-virus program are you using on the server? Shouldn't that have filter settings? We use ARCServe and it has a customizable filter list....
- Thread starter
- #4
Thank you for the info.
We are useing Nortons av for exchange and symantec corp ed.
Older versions that dont have any content filter on them. I dint know if there was a way to filter with exchagne 5.5 or not. I need to look into either upgradeing nortons or another solution. Anyway thanx
We are useing Nortons av for exchange and symantec corp ed.
Older versions that dont have any content filter on them. I dint know if there was a way to filter with exchagne 5.5 or not. I need to look into either upgradeing nortons or another solution. Anyway thanx
Easily the best software for this sort of thing that I've found is Antigen by Sybari (I am not on commision but..........)
It has both File Filter and Content filter both of which are very easy to deliver should the file turn out to be "official".
It also uses upto 5 virus scanning engines for mail, with very little impact on delivery performance (we're talking a second maybe two!)
But no I have never found a way to do it via Exchange 5.5, no doubt someone clever will prove me worng
Any help?
Iain
It has both File Filter and Content filter both of which are very easy to deliver should the file turn out to be "official".
It also uses upto 5 virus scanning engines for mail, with very little impact on delivery performance (we're talking a second maybe two!)
But no I have never found a way to do it via Exchange 5.5, no doubt someone clever will prove me worng
Any help?
Iain
rubbaninja
MIS
Journaling is too much overhead, more so with hundreds of mailboxes.
McAfee GShield is what we use and it works great.
You can also filter your smtp traffic through ISA.
Big thing here is; The users should be blocking those attachments at the desktop in their outlook client.
Patches for Outlook that came out a long long time ago apply the security patch without a choice. However, smart users may be able to find ways around this....
If you have Norton and a newer version of your product exists... Get it.
If it costs and you can't squeeze the cash out of your management then document not only that added feature to the upgrade but also the other "fixes" and features.
Throw in some downtime estimates and maybe "lose" an important mailbox if they really give you a hard time. "It was a virus that came in via exe, so sorry!"
One last thing to look at is GFI Mail Security.
GFI releases freeware anti-virus version of GFI MailSecurity for Exchange/SMTP - 21 August 2003 - GFI has released a freeware version of GFI MailSecurity for Exchange/SMTP that scans inbound and outbound mail using a single anti-virus engine, and also checks message bodies and subjects for keywords.
Good luck, have fun
A
McAfee GShield is what we use and it works great.
You can also filter your smtp traffic through ISA.
Big thing here is; The users should be blocking those attachments at the desktop in their outlook client.
Patches for Outlook that came out a long long time ago apply the security patch without a choice. However, smart users may be able to find ways around this....
If you have Norton and a newer version of your product exists... Get it.
If it costs and you can't squeeze the cash out of your management then document not only that added feature to the upgrade but also the other "fixes" and features.
Throw in some downtime estimates and maybe "lose" an important mailbox if they really give you a hard time. "It was a virus that came in via exe, so sorry!"
One last thing to look at is GFI Mail Security.
GFI releases freeware anti-virus version of GFI MailSecurity for Exchange/SMTP - 21 August 2003 - GFI has released a freeware version of GFI MailSecurity for Exchange/SMTP that scans inbound and outbound mail using a single anti-virus engine, and also checks message bodies and subjects for keywords.
Good luck, have fun
A
rubbaninja
MIS
... oh and, lil clarification...
I say gshield is good... for attachment filtering.
If your going to buy something... get antigen.
Antigen will be our first line of defense on the relay and gshield will stay on the mail server.
I say gshield is good... for attachment filtering.
If your going to buy something... get antigen.
Antigen will be our first line of defense on the relay and gshield will stay on the mail server.
-
2
- #8
- Thread starter
- #9
I really must apologize for the length of this article from symantec. But here is your solution....
Norton AntiVirus for Microsoft Exchange 2.1 and later versions enable you to create a list of files to be handled as though they were infected. If a file name or extension matches one of the entries in the list, then it will be handled according the options set for infected files. The virus information reported for the attachment will be "UNAUTHORIZED FILE."
Blocking email attachments is supported using VAPI or MAPI/VAPI combination mode, this is not supported using MAPI only mode.
This document describes how to block specific attachments; the email message will still be delivered, but without the attachment. For instructions on blocking entire email messages that contain unauthorized files, see the document How to delete email and its attachment with Norton AntiVirus for Microsoft Exchange.
NOTE: If the Microsoft Exchange Information Store contains a large number of infected attachments, then see the document How to remove a large number of infected attachments from the Microsoft Exchange Information Store for instructions on purging the infected messages.
The following example will block three entries, files based on the extension (*.vbs), the file name (virus.txt) and the extension (*.jpg.exe).
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify only the keys that are specified.
Open the Registry Editor, and then navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment
NOTE: If you are running NAVMSE 2.5, the correct registry key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.5\BlockingPolicy\Attachment
Specify the total number of file names and extensions to be excluded. In this example, a total of three entries, a file name and two extensions are to be blocked.
Right-click AttachmentNamesCount, and then click Modify.
Change the base to Decimal, type 3 in Value data window, and then click OK.
WARNING: Care should be taken here. The Registry Editor defaults to hexadecimal, but it is easy to assume decimal. A change from 9 to 10 in hexadecimal is a change from 9 to 16 in decimal. When modifying the AttachmentNamesCount value, make sure you select decimal.
Create a new String Value for each file name or extension in the list. Follow the naming convention of AttachmentNamesX, where X represents sequential integers. The following registry entries illustrate the correct sequence, AttachmentNamesX always starts with 0 and run sequentially:
AttachmentNames0
AttachmentNames1
AttachmentNames2
To create a String Value for *.vbs, virus.txt and *.jpg.exe
In left pane, right-click Attachment, point to New, and then click String Value.
Type AttachmentNames0 as new String Value, and then press Enter.
Right-click AttachmentNames0, click Modify, type *.vbs as the Value data, and then click OK.
Repeat steps A through C to create a second String Value for AttachmentNames1 with a Value data of virus.txt.
Repeat steps A through C to create a third String Value for AttachmentNames2 with a Value data of .jpg.exe.
WARNING: If you remove an entry from the list, then be sure that the remaining entries are renumbered sequentially. Do not leave any gaps in the numbering.
To configure NAVMSE to search for the specified extension or file name within compressed files, set the Value data to 1. Setting the Value data to 0 will prevent NAVMSE from searching within compressed files. (Optional)
Right-click AllowsChecksWithinArchives, and then click Modify.
Type 1 in the Value data window to search for the specified compressed files.
Stop and then restart the NAV for Microsoft Exchange service, or run NaveUpdate.exe to have the new settings take effect. NaveUpdate.exe is found in the installed directory along with all the NAVMSE executables.
NOTE: If you test the blocked extensions by creating a file and naming it using a blocked extension, then make sure the file is not 0 KB.
The following are examples of how to setup blocked extensions including double extensions.
*.txt.vbs
*.jpg.exe
*.mp3.bat
*.jpg
NOTE: File name comparisons are not case-sensitive.
The following registry keys and values are created after the first save of any option settings after installation:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment
NOTE: The 2.1 key in the registry path above may vary depending on your version of NAVMSE.
"UseRegularExpressions"=dword:00000000
"AttachmentNamesCount"=dword:00000000
"AllowsChecksWithinArchives"=dword:00000001
NOTE: If Norton AntiVirus for Exchange is uninstalled, and then reinstalled or updated, then the registry keys created to block files by extension will be lost. Suggest exporting the registry key prior to uninstall or reinstall. When the uninstall or reinstall is completed import the registry key back into the registry.
Norton AntiVirus for Microsoft Exchange 2.1 and later versions enable you to create a list of files to be handled as though they were infected. If a file name or extension matches one of the entries in the list, then it will be handled according the options set for infected files. The virus information reported for the attachment will be "UNAUTHORIZED FILE."
Blocking email attachments is supported using VAPI or MAPI/VAPI combination mode, this is not supported using MAPI only mode.
This document describes how to block specific attachments; the email message will still be delivered, but without the attachment. For instructions on blocking entire email messages that contain unauthorized files, see the document How to delete email and its attachment with Norton AntiVirus for Microsoft Exchange.
NOTE: If the Microsoft Exchange Information Store contains a large number of infected attachments, then see the document How to remove a large number of infected attachments from the Microsoft Exchange Information Store for instructions on purging the infected messages.
The following example will block three entries, files based on the extension (*.vbs), the file name (virus.txt) and the extension (*.jpg.exe).
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify only the keys that are specified.
Open the Registry Editor, and then navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment
NOTE: If you are running NAVMSE 2.5, the correct registry key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.5\BlockingPolicy\Attachment
Specify the total number of file names and extensions to be excluded. In this example, a total of three entries, a file name and two extensions are to be blocked.
Right-click AttachmentNamesCount, and then click Modify.
Change the base to Decimal, type 3 in Value data window, and then click OK.
WARNING: Care should be taken here. The Registry Editor defaults to hexadecimal, but it is easy to assume decimal. A change from 9 to 10 in hexadecimal is a change from 9 to 16 in decimal. When modifying the AttachmentNamesCount value, make sure you select decimal.
Create a new String Value for each file name or extension in the list. Follow the naming convention of AttachmentNamesX, where X represents sequential integers. The following registry entries illustrate the correct sequence, AttachmentNamesX always starts with 0 and run sequentially:
AttachmentNames0
AttachmentNames1
AttachmentNames2
To create a String Value for *.vbs, virus.txt and *.jpg.exe
In left pane, right-click Attachment, point to New, and then click String Value.
Type AttachmentNames0 as new String Value, and then press Enter.
Right-click AttachmentNames0, click Modify, type *.vbs as the Value data, and then click OK.
Repeat steps A through C to create a second String Value for AttachmentNames1 with a Value data of virus.txt.
Repeat steps A through C to create a third String Value for AttachmentNames2 with a Value data of .jpg.exe.
WARNING: If you remove an entry from the list, then be sure that the remaining entries are renumbered sequentially. Do not leave any gaps in the numbering.
To configure NAVMSE to search for the specified extension or file name within compressed files, set the Value data to 1. Setting the Value data to 0 will prevent NAVMSE from searching within compressed files. (Optional)
Right-click AllowsChecksWithinArchives, and then click Modify.
Type 1 in the Value data window to search for the specified compressed files.
Stop and then restart the NAV for Microsoft Exchange service, or run NaveUpdate.exe to have the new settings take effect. NaveUpdate.exe is found in the installed directory along with all the NAVMSE executables.
NOTE: If you test the blocked extensions by creating a file and naming it using a blocked extension, then make sure the file is not 0 KB.
The following are examples of how to setup blocked extensions including double extensions.
*.txt.vbs
*.jpg.exe
*.mp3.bat
*.jpg
NOTE: File name comparisons are not case-sensitive.
The following registry keys and values are created after the first save of any option settings after installation:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment
NOTE: The 2.1 key in the registry path above may vary depending on your version of NAVMSE.
"UseRegularExpressions"=dword:00000000
"AttachmentNamesCount"=dword:00000000
"AllowsChecksWithinArchives"=dword:00000001
NOTE: If Norton AntiVirus for Exchange is uninstalled, and then reinstalled or updated, then the registry keys created to block files by extension will be lost. Suggest exporting the registry key prior to uninstall or reinstall. When the uninstall or reinstall is completed import the registry key back into the registry.
- Thread starter
- #14
Bgarret, Sorry it took so long to try this out just been a little busy here. Anyway here are the results:
Sender of the infected attachment: Unknown Sender
Recipient of the infected attachment: Unknown
Subject of the message: Unknown
One or more attachments were quarantined.
Attachment msconfig.exe was Quarantined for the following reasons:
Virus UNAUTHORIZED FILE was found.
I followed the instructions you posted and it works great. Thank you.
I entered *.vbs, *.exe, *.scr
Sender of the infected attachment: Unknown Sender
Recipient of the infected attachment: Unknown
Subject of the message: Unknown
One or more attachments were quarantined.
Attachment msconfig.exe was Quarantined for the following reasons:
Virus UNAUTHORIZED FILE was found.
I followed the instructions you posted and it works great. Thank you.
I entered *.vbs, *.exe, *.scr
- Status
Similar threads
- Locked
- Question
- Locked
- Question