[Esd-l] MS stuff

John D. Hardin jhardin at impsec.org
Thu Apr 18 12:05:01 PDT 2002


On Thu, 18 Apr 2002, Eric Brosius wrote:

> It seems like weve been getting more and more users from outside
> our network sending Microsoft files with 2 extensions (i.e.
> AVP.LST.DOC, or Byte.me.xls).  There are getting mangled which is
> fine.  But I'm starting to spend too much of my day forwarding
> things from "quarantine".

I fixed a problem in the recommended poison file list a while back,
where it was improperly poisoning document files with "multiple
extension" style filenames. If you are not automatically downloading
the recommended poisoned-files list, then replace the
poison-double-extension-except-doc-and-xls rules in your current
poison list with these:


    *.[a-z][a-z].(?=[a-z0-9]+$)(?!(doc$|xls$))
    *.[a-z][a-z]\s+.(?=[a-z0-9]+$)(?!(doc$|xls$))
    *.[a-z][a-z][a-z0-9].(?=[a-z0-9]+$)(?!(doc$|xls$))
    *.[a-z][a-z][a-z0-9]\s+.(?=[a-z0-9]+$)(?!(doc$|xls$))


> How can I let these file names not get poisoned but just be
> scanned by the MS scanner?  Or is that a bad idea?  Thanks, ahead
> of time.

They will still be scanned and eligible for stripping and poisoning if
you remove .DOC and .XLS from the mangle list. Those extensions are
"special".

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                       pgpk -a jhardin at wolfenet.com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
-----------------------------------------------------------------------
   929 days until the Presidential Election



More information about the esd-l mailing list