A default-deny approach at the gateway is the best approach, permitting only file types that are needed to do business. Always block attachments that are unsafe, i.e. .exe, .scr, .pif, .vbs, .zip, etc.
Other measures enterprises can take include:
- Rename files that contain .zip or other executable or blocked extensions.
- Delay .zip files for a short period of time.
- Inspect the contents of .zip files and deny, delay or rename attachments that are unsafe.
I think it hasn't been a big enough problem and is just now reaching the boiling point. I believe we'll start to see more and more corporations filtering .zip files from this point on. What other kinds of threats do .zip files pose to enterprise networks? Other users?
Most corporations block files like screen savers (.scr) and Visual Basic Scripts (.vbs) at the e-mail gateway. Antivirus scanners can scan .zip files and stop them if a virus is detected. Unfortunately, if they don't detect something known to be malicious they allow it to go through. If the .zip format wasn't used, it would have been blocked like other unsafe file attachments. It's worse if the .zip file is password protected because AV scanners can't scan inside a password-protected
It will take some time; however, the companies that can do this quickly will benefit. Companies that block zips don't have to worry about one bypassing their antivirus scanners or other filters they have in place. We've seen a number of worms lately that have entered networks through .zip files. What can you tell us about that?
In the past, .zip files were thought to be "safe," so many people think they're getting them for a legitimate reason. Virus writers will continue to use .zip and other file types perceived as safe to bypass gateway filtering because they know that most medium to large corporations are now blocking executable file attachments.