[Top] [Prev] [Next] [Bottom]




Blocking executables


When a message or Web data is disassembled, the information contained in each component is assigned a classification. This classification is denoted by the ContainerClass attribute.

One of the classifications that may be assigned is Executable. This denotes that the information forms part of an executable image of an application. For example, it may be an executable, a dynamic link library or an OCX. The classification also includes ActiveX components.

MIMEsweeper can be configured to detect and block executables. This is achieved by editing the [Validation] configuration section, to ensure that the DetectExecutable directive is no longer commented out.

For MAILsweeper the [Validation]configuration section is found in the validator configuration file, VALIDATE.CFG. For WEBsweeper it is found in the http and ftp configuration files, HTTP.CFG and FTP.CFG.

That is, change:

[Validation]
;DetectExecutable=VALATTR

to

[Validation]
DetectExecutable=VALATTR

The MIMEsweeper service(s) will have to be restarted for these changes to come into effect.
 
If DetectExecutable is activated for MAILsweeper, any message with an executable attached is discarded. The sender of the message is informed accordingly.
 
You may wish to block or allow executables for certain users or groups of users only.
 

This can be achieved by creating a new AMUcheck rule to name the users and then setting an attribute during AMUcheck validation. This attribute can subsequently be checked in the [DetectExecutable] configuration section, using a PerformIf directive (to block executables for certain users only) or a SkipIf directive (to allow executables for certain users only).

For example:

In AUTHFILE.TXT:

RESPONSE allow 
...
RESPONSE Allow_Executables PRIORITY 1
RESPONSE deny PRIORITY 2

FROM *@* 
  To *@* allow            ;allow everything

FROM	user1@company.com ;List of users allowed
	user2@company.com ;to send executables.
 	user3@company.com
To *@* Allow_Executables

FINISH

A new AMUcheck rule is defined. In this example, the rule names the users who are allowed to send executables.1 When the addresses of a message match with this rule the <Response> generated by AMUcheck is Allow_Executables.

A new RESPONSE statement is also listed in the first section of the file, to define the Allow_Executables <Response>.

In VALIDATE.CFG:

[AMU]
AuthFile=C:\MSW\CONFIG\AUTHFILE.TXT
If=Allow_executables, AllowExecutable=TRUE, allow

If the <Response> generated by AMUcheck is Allow_Executables an attribute called AllowExecutable is created, with the value TRUE. This is the attribute that is checked by the SkipIf directive in the [DetectExecutable] configuration section.

The <Response> is then reset to allow. This is the actual <Response> generated by AMUcheck. It allows the message to be delivered normally, assuming no higher priority <Response> is generated by one of the configured plug-in validator instances.

[DetectExecutable]
SkipIf=AllowExecutable==TRUE
HaveExecutable=ContainerClass==Executable

The value of the AllowExecutable attribute is checked in the [DetectExecutable] configuration section, using the SkipIf directive.

If the value is TRUE then checking by the [DetectExecutable] section is skipped.

For a similar configuration, using PerformIf to block executables for certain users only, see the blocking attachments example on page 5-29.

See the AMUcheck section on page 7-97 for more details. Also, for more details on the If, PerformIf and SkipIf directives, see the Common validator directives section on page 7-102.
 


[Top] [Prev] [Next] [Bottom]



1 These users are allowed to send executables, so checking for executables can be skipped. This is achieved by including a SkipIf directive in the [DetectExecutables] section.

msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.