We've answered the question about what the email antivirus scanners in messaging security gateways and UTM firewalls...
should be scanning. In addition, some email gateways have an additional option: blocking certain attachment types.
Some email managers have asked for the ability to stop certain types of files from coming through the system. The premise is simple: some types of files are rarely legitimately sent. A good example would be a file with an extension of .BAT. Yes, IT people do occasionally and legitimately send .BAT files. But all of the non-IT people in an organization should not be getting .BAT files. And if they do get .BAT files, then they are probably getting into trouble with them.
This leads to a lot of antivirus configurations that delete certain body parts from email messages. Good products let you do this in three different ways:
- By the filename of the body part (such as *.mp3)
- By the MIME label (such as MIME type "audio/mpeg")
- By the fingerprint of the file as detected by the email gateway (such as "audio files").
A key consideration: The only reason to look at types of email body parts is to block them from entering your organization. Don't use these features to exempt certain types of data files from virus scanning. Remember: Computers are cheap, people are expensive, and (more importantly) attackers are constantly moving their attack vectors. Any attempt to optimize your antivirus configuration to speed performance is going to eventually compromise security.
Blocking certain types of files from entering via email is more of a business-by-business decision. Going one way or the other can't be classified as a best practice. You have to fit the configuration of the email gateway to the type of organization, the skill sets of the people using email, and the kind of data that normally moves in and out of your organization via email.
You can easily go too far in this and frustrate people who have a legitimate need to move data to do their jobs. I have a wonderful -- and true -- story about a publishing company where the email manager decided that Microsoft Word files were just too dangerous to let in and out of his network. You can imagine how long that ban stayed in place.
You can also keep people out of trouble by doing a little email sanitizing and removing temptation to do the wrong thing.
My best advice in this area is to take a relaxed view. Your antivirus tool will probably have a list of common file types to block (executables and semi-executables such as .BAT files are common), but don't spend a lot of time trying to fine-tune or extend this list. Your goal should be to block obvious problem vectors that have no legitimate business need, not to try and whitelist every document type that is in use within your company.
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
Send comments on this technical tip to firstname.lastname@example.org.