Is stripping .zip files at the gateway the best way to mitigate these threats? Are there less severe measures?
A default-deny approach at the gateway is the best approach, permitting only file types that are needed to do business. Always block attachments that are unsafe, i.e. .exe, .scr, .pif, .vbs, .zip, etc.
Other measures enterprises can take include:
- Rename files that contain .zip or other executable or blocked extensions.
- Delay .zip files for a short period of time.
- Inspect the contents of .zip files and deny, delay or rename attachments that are unsafe.
You've alluded to .zip files as being a longstanding threat; if that's the case, why don't more enterprises filter them at the gateway?
I think it hasn't been a big enough problem and is just now reaching the boiling point. I believe we'll start to see more and more corporations filtering .zip files from this point on. What other kinds of threats do .zip files pose to enterprise networks? Other users?
Most corporations block files like screen savers (.scr) and Visual Basic Scripts (.vbs) at the e-mail gateway. Antivirus scanners can scan .zip files and stop them if a virus is detected. Unfortunately, if they don't detect something known to be malicious they allow it to go through. If the .zip format wasn't used, it would have been blocked like other unsafe file attachments. It's worse if the .zip file is password protected because AV scanners can't scan inside a password-protected file. How long will it take enterprises to learn to filter them?
It will take some time; however, the companies that can do this quickly will benefit. Companies that block zips don't have to worry about one bypassing their antivirus scanners or other filters they have in place. We've seen a number of worms lately that have entered networks through .zip files. What can you tell us about that?
In the past, .zip files were thought to be "safe," so many people think they're getting them for a legitimate reason. Virus writers will continue to use .zip and other file types perceived as safe to bypass gateway filtering because they know that most medium to large corporations are now blocking executable file attachments.
Bruce HughesModerator, Wild List