[Robin Bermanseder] This requires fairly sophisticated content scanning. How do you define 'execurtable'? Do you include DLLs? Executable on which platform? The technique I have used is to scan the attachments for 'signatures' associated with the target executable code. Example: For DOS executables, CD 21 identifies a call to the DOS services interrupt, but blocking all files containing these bytes would filter out a fair number of legitimate binaries as well. Have to scan forward or backward several bytes for code that would normally occur is association with the interrupt, usually aloading of the AX register. All executables, for all operating systems, have such telltale signatures. You need to identify what your target executables are, get the telltale signatures (speak to an assembler programmer for the target platform) and institute the scanning mechanism. I have often thought that adding the signatures to a virus scanner migh help (ie identify executables as viruses), but on second thought this would not work well - the signatures are often loosly defined (CD 21 with a XX YY within 10 bytes, for example) while virus checkers use static signatures only. My implementation needed customised packet filter code written in assembler, using expert system techniques to apply the filter rules. >Short answer: It can be done, but not easily. >Hi, > >i have an installation with fw1 and esafe protect gateway. >Question: is there any way to detect renamed exe in a mail attachment ? >Attachment with the ext: Exe are blocked. But when i rename a exe file in >txt, the attachment is not beeing blocked. > >Michael > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:57 PDT