# # NOTE: Fields are separated by TAB characters --- Important! # # Syntax is allow/deny/deny+delete, then regular expression, then log text, # then user report text. # # Due to a bug in Outlook Express, you can make the 2nd from last extension # be what is used to run the file. So very long filenames must be denied, # regardless of the final extension. deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages # JKF 01/01/2006 Another Microsoft security vulnerability #deny \.wmf$ Windows Metafile security vulnerability Possible format attack in Windows # JKF 04/01/2005 More Microsoft security vulnerabilities deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows #deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows # These 4 are well known viruses. deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus deny happy99\.exe$ "Happy" virus "Happy" virus deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus # JKF 08/07/2005 Several virus scanners may miss this one deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses # These are known to be mostly harmless. allow \.jpg$ - - allow \.gif$ - - # .url is arguably dangerous, but I can't just ban it... allow \.url$ - - allow \.vcf$ - - allow \.txt$ - - allow \.zip$ - - allow \.t?gz$ - - allow \.bz2$ - - allow \.Z$ - - allow \.rpm$ - - # PGP and GPG allow \.gpg$ - - allow \.pgp$ - - allow \.sig$ - - allow \.asc$ - - # Macintosh archives allow \.hqx$ - - allow \.sit.bin$ - - allow \.sea$ - - # These are known to be dangerous in almost all cases. deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info. deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email # These are new dangerous attachment types according to Microsoft in # http://support.microsoft.com/?kbid=883260 deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260 #deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260 # These 2 added by popular demand - Very often used by viruses deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email # These are very dangerous and have been used to hide viruses deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses deny \.bat$ Possible malicious batch file script Batch files are often malicious deny \.cmd$ Possible malicious batch file script Batch files are often malicious deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora # Deny filenames containing CLSID's deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type # Deny filenames with lots of contiguous white space in them. deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it # Allow repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension