Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection: Blocking Files by Filename Extensions

Attack ID: CPSA-2004-05
Publish Date:
Last Update:
Category: Microsoft Windows
Vulnerable Systems: Microsoft Windows systems
Source: SmartDefense Research Center
Description: Some of the most dangerous programs (viruses, Trojans and worms) are spread through email message attachments and file and sharing applications. VPN-1 NG with Application Intelligence R54 and later versions can block filename extensions that are considered unsafe and allow only safe file name extensions.
Severity:
Details:

Check Point offers several means of blocking potentially malicious files by their filename extensions. These include using the HTTP Worm Catcher and Microsoft CIFS (both pattern-based) as well as the SMTP Security Server that offer the use of  SMTP resource in the rule base.

Attack Detection:

After applying the solution outlined below, use SmartView Tracker to identify attempts to receive SMTP and HTTP traffic that contains attachments with unsafe file name extensions.

An example of an SMTP log:
Information: reason: Forbidden MIME attachment stripped

An example of a CIFS log:
Attack Name: CIFS worm
Attack Information: CIFS worm pattern detected: winnt filename.someextension
Solution:

Users of VPN-1 NG with Application Intelligence R54, R55, R55W and InterSpect can block file extensions in the following ways:

  • Blocking network access to .somefile via HTTP Worm Catcher.
  • Blocking network access to .somefile via CIFS Worm Catcher.
  • Blocking .somefile via the SMTP Security Server (SMTP Resource).

To Block network access to .somefile via the HTTP Worm Catcher
Solution designed for: R54, R55, R55W, InterSpect

  1. On the SmartDefense navigation tree, click Application Intelligence > Web > General HTTP Worm Catcher (Users of R55W should go to the Web Intelligence navigation tree, click Malicious Code > General HTTP Worm Catcher); the General HTTP Worm Catcher window appears.
  2. Click Add; the Worm Pattern Settings window appears.
  3. Enter '\.somefile$' in the Pattern String pane. The pattern should generate a unique checksum. For example, '\.scr$' would generate 0xa66e7de4.  
  4. Activate Settings (InterSpect) or Install Policy on all modules (R54, R55).

To block network access to .somefile via the CIFS worm catcher
Solution designed for: R54, R55, R55W, InterSpect

  1. On the SmartDashboard navigation tree, select Application Intelligence > Microsoft Networks> File and Print Sharing; the File and Print Sharing window appears.
  2. Click Add; the Worm Pattern Settings window appears.
  3. Enter '\.somefile$' in the Pattern String pane. The pattern should generate a unique checksum. For example, '\.jse$' would generate 0xa66e7de4.  
  4. Activate Settings (InterSpect) or Install Policy on all modules (R54, R55, R55W).

To block malicious filenames via the SMTP Security Server (SMTP Resource):
Solution designed for: R54, R55, R55W

  1. Create a new SMTP Resource and give it a name (Manage > Resources).
  2. Select the Action2 tab. In the Strip file by name field, enter

    {*.ade, *.adp, *.app, *.asx, *.bas, *.bat, *.chm, *.cmd, *.com, *.cpl, *.cer, *.crt, *.exe, *.fxp, *.hlp, *.hta, *.inf, *.ins, *.isp, *.js, *.jse, *.lnk, *.mda, *.mdb, *.mde, *.mdt, *.mdw, *.mdz, *.msc, *.msi, *.msp, *.mst, *.ops, *.pcd, *.pif, *.prf, *.prg, *.pst, *.reg, *.scf, *.scr, *.sct, *.shb, *.shs, *.url, *.vb, *.vbe, *.vbs, *.wsc, *.wsf, *.wsh}  

  3. Place the new SMTP resource in a rule.
  4. Install Policy on all modules. 
Industry Reference:
Additional Information:

Micrsoft Knowledge Base Article - 829982
CPSA-2003-01