How to configure email antivirus scanners to block only when necessary

We've answered the question about what the email antivirus scanners in messaging security gateways and UTM

    Requires Free Membership to View

firewalls should be scanning. In addition, some email gateways have an additional option: blocking certain attachment types.

Some email managers have asked for the ability to stop certain types of files from coming through the system. The premise is simple: some types of files are rarely legitimately sent. A good example would be a file with an extension of .BAT. Yes, IT people do occasionally and legitimately send .BAT files. But all of the non-IT people in an organization should not be getting .BAT files. And if they do get .BAT files, then they are probably getting into trouble with them.

This leads to a lot of antivirus configurations that delete certain body parts from email messages. Good products let you do this in three different ways:

  1. By the filename of the body part (such as *.mp3)
  2. By the MIME label (such as MIME type "audio/mpeg")
  3. By the fingerprint of the file as detected by the email gateway (such as "audio files").

A key consideration: The only reason to look at types of email body parts is to block them from entering your organization. Don't use these features to exempt certain types of data files from virus scanning. Remember: Computers are cheap, people are expensive, and (more importantly) attackers are constantly moving their attack vectors. Any attempt to optimize your antivirus configuration to speed performance is going to eventually compromise security.

More on email antivirus
Read part one of this tip

Fighting spyware with unified threat management

The pros and cons of outsourcing antivirus services

Blocking certain types of files from entering via email is more of a business-by-business decision. Going one way or the other can't be classified as a best practice. You have to fit the configuration of the email gateway to the type of organization, the skill sets of the people using email, and the kind of data that normally moves in and out of your organization via email.

You can easily go too far in this and frustrate people who have a legitimate need to move data to do their jobs. I have a wonderful -- and true -- story about a publishing company where the email manager decided that Microsoft Word files were just too dangerous to let in and out of his network. You can imagine how long that ban stayed in place.

You can also keep people out of trouble by doing a little email sanitizing and removing temptation to do the wrong thing.

My best advice in this area is to take a relaxed view. Your antivirus tool will probably have a list of common file types to block (executables and semi-executables such as .BAT files are common), but don't spend a lot of time trying to fine-tune or extend this list. Your goal should be to block obvious problem vectors that have no legitimate business need, not to try and whitelist every document type that is in use within your company.

Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.

Send comments on this technical tip to editor@searchmidmarketsecurity.com.

This was first published in April 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.