Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: RE: 543.rar attachment

RE: 543.rar attachment

From: <adisegna_at_siscocorp.com>
Date: Mon, 14 Mar 2005 13:51:29 -0500

When Symantec Corp. integrates with Active Directory to allow file
attachments by user/group then maybe. For now I only have the choice to
allow of block everything. I can't trust some of the non technical users
in my organization (marketing, accounting, etc). They ask "what is this"
and forward information to the admin every time they get something the
don't recognize. This is after being trained numerous times. They are
easy prey to socially engineered email.

Thanks
AD
Information Technology Group

-----Original Message-----
From: Kinnell [mailto:kinnell.t_at_gmail.com]
Sent: Monday, March 14, 2005 10:13 AM
To: security-basics_at_securityfocus.com
Subject: Re: 543.rar attachment

On the network I'm a member of we block all exe files sent inside the
rar or zip, so even if it is sent the file will be 0byted. Wouldn't
that be a better method? otherwise if you block all bz2, zip, rar,
etc... then you will block a lot of useful communication

-Kinnell

On Fri, 11 Mar 2005 16:49:16 -0500, adisegna_at_siscocorp.com
<adisegna_at_siscocorp.com> wrote:
> Sean, I have to disagree with you. Any file that that can encapsulate
an
> executable file should be blocked (IMO). ZIP files are one of the
> biggest carriers of malicious content these days. I don't make it a
> habbit of trusting my users no matter how many times they get trained.
> RAR extraction tools are not part of the software image policy on my
> network so users are oblivious to the file blocking. What is your
> solution?
>
> Thanks
>
> AD
> Information Technology Group
> Security Identification Systems Corporation
>
> -----Original Message-----
> From: Sean Crawford [mailto:sean01_at_accnet.com.au]
> Sent: Tuesday, March 08, 2005 9:39 PM
> To: security-basics_at_securityfocus.com
> Subject: RE: 543.rar attachment
>
> ---> -----Original Message-----
> ---> From: adisegna_at_siscocorp.com [mailto:adisegna_at_siscocorp.com]
>
> ---> Subject: RE: 543.rar attachment
>
> ---> I just recently got the same executable inside .rar. I extracted
> the
> ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't find
> ---> anything (as of 4 days ago). I wasn't about to double click this
> exe on
> ---> my corporate network. Block the rar extension on your mail
server.
> --->
>
> rar is a valid compression format...blocking it isn't a very good
> solution.
>
> 2 cents.
>
> Sean
>
>
Received on Mar 15 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]