[isalist] Re: Word Doc Block

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 10 Dec 2006 15:04:28 -0800

http://www.ISAserver.org
-------------------------------------------------------
  
Geez; watta grump.
Wearing your green suit for the season, areya?
:-p
Just because you don't like my answer doesn't mean I didn't answer it.
If you have a mechanism that can detect malicious word docs in the most
common transfer methods, then you're fairly safe.
If you can patch your application, then you obviously don't need the
mitigation.
IIRC, GFI is capable of blocking with in compressed files (if they're
not pw-protected, of course).

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, December 10, 2006 2:13 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Word Doc Block

http://www.ISAserver.org
-------------------------------------------------------
  
No, you didn't.  You just gave the obvious "don't do that" response.

I actually DO have something that will block .docs at the mail server,
even if in a zip, but that wasn't my question.

So I guess all one can do is just block .doc extensions then...

t

 


On 12/9/06 12:05 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> http://www.ISAserver.org
> -------------------------------------------------------
>   
> I did.
> In this day where "business needs" dictate an "all open" traffic 
> profile through your edge, and where the "port demons" rule the edge, 
> I've all but given up on the idea of trying to block anything beyond
layer 3.
> 
> That said, Antigen is supposed to bring the next big thing to 
> application-layer smarts, but it's not a reality yet.  Lots of other 
> folks try really hard to scan at the edge, but it's a 'spensive 
> proposition, Lucy.
> 
> Unless you have something in your edge and mail servers that can block

> word docs by binary signature, even within a compressed file (don't'
> forget to recognize, zip, tar, gz... you get the idea), you can't have

> total protection.
> 
> Unfortunately, unlike the wmf vuln, it's impossible to configure an 
> HTTP filter signature for this issue.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Friday, December 08, 2006 6:47 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Word Doc Block
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Obviously... But when it comes to a large user base working with 
> masses of other business associates, contacts, contractors, clients, 
> prospective employees, etc, and who have been trained to send Word 
> docs (and open them) over the last several years, the "don't accept 
> from unknown sources" isn't necessarily a viable option.
> 
> Care to answer my question now? :-p
> 
> t
> 
> 
> On 12/8/06 4:00 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> 
>> http://www.ISAserver.org
>> -------------------------------------------------------
>> 
>> Simple; I don't accept them from unknown sources.
>> 
>> 
>> -------------------------------------------------------
>>    Jim Harrison
>>    MCP(NT4, W2K), A+, Network+, PCG
>>    http://isaserver.org/Jim_Harrison/
>>    http://isatools.org
>>    Read the help / books / articles!
>> -------------------------------------------------------
>>  
>> 
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
>> God)
>> Sent: Friday, December 08, 2006 12:11
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Word Doc Block
>> 
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>   
>> Anyone worried about the 0day Word issue to the point that you are 
>> blocking .doc files?  Blocking word application type or just .doc?
>> Anyone worried about a .doc in a .zip?
>> 
>> t
>> 
>> 
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs: http://blogs.isaserver.org/
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>> 
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs: http://blogs.isaserver.org/
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>> 
>> 
>> 
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: