So…. let’s see….. we have a Zero Day WMF exploit nailing even fellow MVPs …. websites that nail you with malware so bad you have to flatten and rebuild….that merely visiting the web clicking…. will nail you…. and Trend [and most a/v companies] has the definition for this in there ‘beta’ def but not their released one….so what’s a gal to do?

So I already blocked WMFs in email in the Trend Antivirus

  • I don’t want to pull down a beta def file
  • I’m not sure I want to unregister a dll…….shimgvw.dll
  • So how about looking at what my ISA server can do ‘eh?

Jesper’s Blog : Blocking certain extensions in ISA server:

Very cool huh! And how about we block those wmf’s via ISA server.

So we go into the ISA management console..and we access the SBS Internet Access Rule [on mine this is rule 23]

  • Click on Protocols
  • click on Filtering
  • Click on configure http
  • Click on Extensions
  • Choose “Block Specified Extensions and allow all others” and then put the list in you want to block
  • Click “add” and put in wmf.

Click OK, click apply and now when i go to the test page… voila…the image doesn’t show up.

Is this cool or what?  Now I feel a lot better since Trend hasn’t updated yet.


3 Responses to So if you have ISA here are some things you can do

  1. Nick Pieters says:

    I used this solution also to block downloads of other extension on some of my clients, my opinion one of the best ways to protect a network. True a lot of work, but hey you can export and import settings.

  2. Amy says:

    Don’t forget to disconnect all sessions after you Apply. Otherwise, the edited rule will only apply to new connections to ISA, not existing ones.

  3. Andy says:

    Can the same be done using ISA 2000?