• Forefront protection for exchange blocks Outlook block sender functionality and Exchange IMF

    Posted over 4 years ago
    by Van Makriniotis-CSS Security}

    I would recommend FPE customers do this.

    By default when our Anti-spam agent finds something as clean we mark it SCL -1

    This can cause a lot of issues with Exchange Blocked senders and it also blocks out any chance of IMF catching something.

    This is covered in the Important notes section of our documentation.

    • FPE marks messages that it believes to be legitimate with an SCL rating of -1. As a result, on Exchange Server 2007, the end user blocked senders feature may not be enforced for these messages. If this occurs, as a workaround, you can set the extended option CFAllowBlockedSenders to 'true'. This changes the SCL rating from -1 to 0 and allows Exchange Server 2007 to enforce the end user blocked senders feature.  

    The workaround is to change our clean scl stamp to 0

    This is done in our power shell.

    You need to create a new extended option:

     

    PS> New-FseExtendedOption –Name CFAllowBlockedSenders –Value true

    PS> Get-FseExtendedOption –Name CFAllowBlockedSenders

    should return:

    Name                                                    Value

    -------                                                    -------   

    CFAllowBlockedSenders              True

  • Mytob/mydoom Filtering

    Posted over 4 years ago
    by Van Makriniotis-CSS Security}

    Mytob and mydoom variants seem to be on the rise in the last week.

    These files are named in a way to fool users into thinking the file is something other than an executable.

    in this example a quick look at the file in postcard.zip might make you think it is a htm file

     

    image

    But if you look at the file type it shows it is an application. Some older tools will show a IE icon, helping to further fool users into opening it.

    The file in the above example has two extensions.

    document.htm____________________________________________________________.exe

    Mitigation

    No scanner can protect you 100% of the time. Even with a product like Forefront\Antigen (that provides you up to 5 engines to scan with) you still have the time between the introduction of the virus and the engines providing detections for it.

    I suggest at minimum filtering out dual extension executables by adding a filter for *.*.* executable file type. Action can be clean (users get the zip but the attachment is now a .txt file) or purge it completely.

    If your network policy is that no exe files are to come in by email then you can put a * exe file type filter in place with a purge option to reduce confusion from your end users.

    If your policy lets internal users send exe files but you feel safe blocking exe files incoming from the internet you can use our filtering to block incoming exe files (<in>* exe file types) as described here http://technet.microsoft.com/en-us/library/bb795068.aspx