Blocking those WMF’s at the email border

Okay so even before I blocked the WMF’s via ISA server so that they are blocked while surfing…the first thing I did [because I knew easily how to do this] was to go into my antivirus program that protects my Exchange server and add WMF file extensions to be blocked at the server [in fact why do I need them anyway… I think I’ll leave the setting exactly like that from now on]


So on my Trend Exchange a/v it looks like this:



So what if you were insane, stupid, or too cheap to buy a Antivirus that covers your Exchange server?  And boy you have to be all three these days not to get an antivirus suite that does this….but say you were… what else could you EASILY do on your SBS box to block those kinds of files….


If you’ve never done this before… you rerun the “Connect to Internet Wizard” and rerun the wizard to add file type blocking at the server…remember it looks like this:



Click on “add” to add the WMF file blocking:



And click OK…but what if you already did that and you don’t want to rerun the wizard?


No problem… just follow this prior post…but here’s a trick I found… Nathan said to right mouse click and click on “edit” but on my newly pristine server… I had no edit and Notepad sucked as an XML editor.  So I brought it over to my workstation where I have Frontpage, right mouse clicked on Edit, opened it in Front Page, clicked on “Reformat XML”



And edited the page in a much more user friendly format


<Attachment Enabled=”True” Extension=”wmf” Description=”WMF Zero Day”/> which looks like this


Remember these are kinda like those backwards group policy settings where “True” is a good thing…. so when we get all done, I saved the file on my workstation and then stuck it back up on the server and it looks like this:



My resulting XML file…. is copied below:


===============================


<?xml version=”1.0″ encoding=”utf-8″ ?>


<SecAttsConfig>
    <Enabled>True</Enabled>
    <SaveToFile Enabled=”False” Location=””/>
    <UnsafeAttachments>
        <Attachment Enabled=”True” Extension=”ade” Description=”Microsoft Access project extension”/>
        <Attachment Enabled=”True” Extension=”adp” Description=”Microsoft Access project”/>
        <Attachment Enabled=”True” Extension=”app” Description=”FoxPro generated application”/>
        <Attachment Enabled=”True” Extension=”bas” Description=”Microsoft Visual Basic class module”/>
        <Attachment Enabled=”True” Extension=”bat” Description=”Batch file”/>
        <Attachment Enabled=”True” Extension=”chm” Description=”Compiled HTML Help file”/>
        <Attachment Enabled=”True” Extension=”cmd” Description=”Microsoft Windows NT Command script”/>
        <Attachment Enabled=”True” Extension=”com” Description=”Microsoft MS-DOS program”/>
        <Attachment Enabled=”True” Extension=”cpl” Description=”Control Panel extension”/>
        <Attachment Enabled=”True” Extension=”crt” Description=”Security certificate”/>
        <Attachment Enabled=”True” Extension=”csh” Description=”Unix shell script”/>
        <Attachment Enabled=”True” Extension=”exe” Description=”Program”/>
        <Attachment Enabled=”True” Extension=”fxp” Description=”FoxPro file”/>
        <Attachment Enabled=”True” Extension=”hlp” Description=”Help file”/>
        <Attachment Enabled=”True” Extension=”hta” Description=”HTML program”/>
        <Attachment Enabled=”True” Extension=”inf” Description=”Setup Information”/>
        <Attachment Enabled=”True” Extension=”ins” Description=”Internet Naming Service”/>
        <Attachment Enabled=”True” Extension=”isp” Description=”Internet Communication settings”/>
        <Attachment Enabled=”True” Extension=”js” Description=”JScript file”/>
        <Attachment Enabled=”True” Extension=”jse” Description=”Jscript Encoded Script file”/>
        <Attachment Enabled=”True” Extension=”ksh” Description=”Unix shell script”/>
        <Attachment Enabled=”True” Extension=”lnk” Description=”Shortcut”/>
        <Attachment Enabled=”True” Extension=”mda” Description=”Microsoft Access add-in program”/>
        <Attachment Enabled=”True” Extension=”mdb” Description=”Microsoft Access program”/>
        <Attachment Enabled=”True” Extension=”mde” Description=”Microsoft Access MDE database”/>
        <Attachment Enabled=”True” Extension=”mdt” Description=”Microsoft Access add-in data”/>
        <Attachment Enabled=”True” Extension=”mdw” Description=”Microsoft Access workgroup information”/>
        <Attachment Enabled=”True” Extension=”mdz” Description=”Microsoft Access wizard program”/>
        <Attachment Enabled=”True” Extension=”msc” Description=”Microsoft Common Console document”/>
        <Attachment Enabled=”True” Extension=”msi” Description=”Microsoft Windows Installer package”/>
        <Attachment Enabled=”True” Extension=”msp” Description=”Microsoft Windows Installer patch”/>
        <Attachment Enabled=”True” Extension=”mst” Description=”Microsoft Windows Installer transform; Microsoft Visual Test source file”/>
        <Attachment Enabled=”True” Extension=”ops” Description=”FoxPro file”/>
        <Attachment Enabled=”True” Extension=”pcd” Description=”Photo CD image; Microsoft Visual compiled script”/>
        <Attachment Enabled=”True” Extension=”pif” Description=”Shortcut to MS-DOS program”/>
        <Attachment Enabled=”True” Extension=”prf” Description=”Microsoft Outlook profile settings”/>
        <Attachment Enabled=”True” Extension=”prg” Description=”FoxPro program source file”/>
        <Attachment Enabled=”True” Extension=”reg” Description=”Registration entries”/>
        <Attachment Enabled=”True” Extension=”scf” Description=”Windows Explorer command”/>
        <Attachment Enabled=”True” Extension=”scr” Description=”Screen saver”/>
        <Attachment Enabled=”True” Extension=”sct” Description=”Windows Script Component”/>
        <Attachment Enabled=”True” Extension=”shb” Description=”Shell Scrap object”/>
        <Attachment Enabled=”True” Extension=”shs” Description=”Shell Scrap object”/>
        <Attachment Enabled=”True” Extension=”url” Description=”Internet shortcut”/>
        <Attachment Enabled=”True” Extension=”vb” Description=”VBScript file”/>
        <Attachment Enabled=”True” Extension=”vbe” Description=”VBScript Encoded script file”/>
        <Attachment Enabled=”True” Extension=”vbs” Description=”VBScript file”/>
        <Attachment Enabled=”True” Extension=”wsc” Description=”Windows Script Component”/>
        <Attachment Enabled=”True” Extension=”wsf” Description=”Windows Script file”/>
        <Attachment Enabled=”True” Extension=”wsh” Description=”Windows Script Host Settings file”/>
        <Attachment Enabled=”True” Extension=”xsl” Description=”XML file that can contain script”/>
        <Attachment Enabled=”True” Extension=”wmf” Description=”WMF Zero Day”/>
    </UnsafeAttachments>
</SecAttsConfig>

4 Thoughts on “Blocking those WMF’s at the email border

  1. Nick Pieters on December 29, 2005 at 3:47 am said:

    Well i don’t know if trend is checking also checking the mails who come from the pop3 connector, guess so.

    I did everything on my isa server, smtp screener installed and blocked wmf for emails and downloads/http.

    Fun thing is that it works also for pop3 connector, so it works verry effectively for spam even with pop3 connector!

  2. Alex Lee on December 29, 2005 at 9:05 am said:

    There are reports that for this exploit, a malicious file can carry any extension. Not just WMF. See the 23:19 update on this Internet Storm Center Handler’s Diary(http://isc.sans.org/diary.php?date=2005-12-29).

    On the other hand, Susan’s post is more about the mechanics of blocking files by extension right on your server. Nice.

  3. This is true – content is what matters, not extension. As for “any extension”, that’s not quite true – you would need an extension that feeds into the graphics rendering engine. If you feel that’s a sufficiently dangerous threat to concern yourself with it, you could block all graphics, or you could block all files with content that identifies it as a WMF, if you have a content-based filter.

  4. goodsite.NikkfromLA.(USA)http://megspace.com/lifestyles/uldiaz1/10mg-diazepam.html

Post Navigation