Preventing the new Windows WMF exploit?

[bluemike]

In light of the growing popularity of the new zero-day WIndows exploit (and the fact that all my workstations are Windows-based), I have a question.

[url]href="http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.WMF_0day[/url]

I can have Scalix automatically cull all WMF's from any incoming message? Or is that even possible? Our firewalls here don't support any kind of proxy content filtering, so any malfored WMF coming in an email is potentially dangerous.[/url]

[ScalixSupport]

I thought we had a solution in the knowledgebase but sadly I was mistaken.

You can filter out attachments on the incoming unix g/w as follows:

1. Edit /var/opt/scalix/sys/mime.types and add the following:

   Code: Select all

   2188<tab>b<tab>*/*<tab>wmf
   just under the line

   Code: Select all

   # Wildcards must go at the start of the list
   Obviously, replace <tab> with a TAB character.
2. Edit /var/opt/scalix/sys/general.cfg and add the line

   Code: Select all

   SR_FILTER_TYPES_OF_ATT=2188
3. Restart the unix g/w and router

   Code: Select all

   omoff -d0 unix router
omon unix router

This tells the unix g/w that anything which has a .wmf extension should be given Scalix filecode 2188 which happens to mean virus infected file. The general.cfg setting tells the Service Router that any attachment with filecode 2188 is to be removed.

If you want to add more extensions, you can have up to 5 on the same line after which you need to create a new line with the same data but different extensions.

Cheers

Dave

[bluemike]

That did it! Thanks a lot!

One questions: in putting multiple extensions on one line, are they seperated with a tab? comma?

[ScalixSupport]

Sorry, I should have mentioned that. The extensions are space-separated.

Cheers

Dave