One of the largest challenges to intercepting viruses that the I.T. industry faces is eliminating the narrow window of opportunity where brand new virus variants can penetrate multi-tier defences before companies like Symantec or McAfee are aware to produce new definitions or DAT files for distribution.

One article I read regarding this problem, “Worms spur new defences” in eWeek The Enterprise Newsweekly of August 2, 2004 reads:

“We can’t stop files from coming in. … We have to find creative ways to say yes to that information flow, while managing it effectively and protecting our users, often from themselves. That’s our job.” Bart Lansing, manger of desktop services.

… some [security teams] consider blocking all attachments before they reach the desktop as the only way to safeguard against widespread infection.

That was exactly how we handled ZIP files in the past after getting burned once. Staff and external contacts would have to rename their zip files and provide instructions in the email to let the recipient know the attachment would require renaming manually before it could be opened.

The extra headaches this produced encouraged my manager who is a very good Software Engineer to write some custom VB code that helps solve this problem at the IIS level on our SMTP gateway.

To include a little background info on our set-up here, we use GFI Mail Essentials to help reduce the amount of SPAM traffic bound for our exchange server. Initially we had it installed locally on the Exchange server, but found it to be too labour intensive for the machine and the Outlook performance degraded substantially for all users to the point people had that lynching look in their eyes if we didn’t do something soon. So we moved Mail Essentials into a gateway role on a clean member server and have all our inbound mail directed to the smart host for SPAM filtering before it is forwarded on to Exchange. This greatly improved things all around.

Now we took this opportunity to be creative and inject some custom programming into IIS. What my manager programmed was a utility that scanned all incoming email with a ZIP file attachment. It compared the contents of the ZIP file to files of the main file-type block list most organizations deploy as a standard block list. *.exe, *.vbs, *.com, etc. It then deletes the entire message if it fails any of the prohibited file types that are in the ZIP file. This all happens on the gateway server. We then send an email back to the sender just in case it was a legitimate user so they know to resend the email and rename the zipped contents to *.ex_ or something before it is zipped up. If the email does not violate the filter, it then moves on to the Exchange server where our normal Tier 2 Exchange virus filtering Symantec product does it's thing.

The ZipFilter utility is a SMTP event sink written in VB6. It hooks the OnArrival event in IIS.

This basically closes the hole or window of opportunity for us that would normally allow new virus laden email in a zip file attachment to get through to the users desktops. We are going to update the code shortly to include WinRAR files as well.