Page 1 of 1
Preventing the new Windows WMF exploit?
Posted: Fri Dec 30, 2005 1:20 pm
by bluemike
In light of the growing popularity of the new zero-day WIndows exploit (and the fact that all my workstations are Windows-based), I have a question.
[url]href="http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.WMF_0day[/url]
I can have Scalix automatically cull all WMF's from any incoming message? Or is that even possible? Our firewalls here don't support any kind of proxy content filtering, so any malfored WMF coming in an email is potentially dangerous.[/url]
Posted: Fri Dec 30, 2005 2:28 pm
by ScalixSupport
I thought we had a solution in the knowledgebase but sadly I was mistaken.
You can filter out attachments on the incoming unix g/w as follows:
- Edit /var/opt/scalix/sys/mime.types and add the following: just under the line
Code: Select all
# Wildcards must go at the start of the list - Edit /var/opt/scalix/sys/general.cfg and add the line
- Restart the unix g/w and router
Code: Select all
omoff -d0 unix router
omon unix router
This tells the unix g/w that anything which has a .wmf extension should be given Scalix filecode 2188 which happens to mean virus infected file. The general.cfg setting tells the Service Router that any attachment with filecode 2188 is to be removed.
If you want to add more extensions, you can have up to 5 on the same line after which you need to create a new line with the same data but different extensions.
Cheers
Dave
Posted: Fri Dec 30, 2005 4:53 pm
by bluemike
That did it! Thanks a lot!
One questions: in putting multiple extensions on one line, are they seperated with a tab? comma?
Posted: Fri Dec 30, 2005 4:55 pm
by ScalixSupport
Sorry, I should have mentioned that. The extensions are space-separated.
Cheers
Dave