5 Replies Latest reply on Jun 25, 2010 12:32 PM by epoguy

    VSE 8.7i Bogus Suspicious File Extension Errors

      VSE is tripping on files with multiple periods in the name, as if they had multiple file extensions.  Files with names like "Version 1.1.5.doc" are being trapped.  Is there anyway to edit VSE rules like you can do with HIPS?  What I would like is some how tell the VSE rules to ignore file names that end in MS Office extensions.

       

      VSE 8.7i

      Event ID:  1101 & 1102

      Threat Name:  Suspicious File Extensions

      Threat Type:  Virus

        • 1. Re: VSE 8.7i Bogus Suspicious File Extension Errors
          Attila Polinger

          Hi,

           

          In on delivery email scan module, in heuristics, there is a checkbox: "Find attachments with multiple extensions". Perhaps you need to disable this checkbox to stop generating such alerts.

           

          Attila

          1 of 1 people found this helpful
          • 2. Re: VSE 8.7i Bogus Suspicious File Extension Errors

            Thanks, you solved 99% of my problem.  Unfortunately, they use a check box, so you can't tune that option.  VSE doesn't understand the difference between ".1.doc" and ".doc.exe".  One is probably a legitimate email attachment and the other is an attack.

            • 3. Re: VSE 8.7i Bogus Suspicious File Extension Errors
              rmetzger

              epoguy wrote:

               

              Thanks, you solved 99% of my problem.  Unfortunately, they use a check box, so you can't tune that option.  VSE doesn't understand the difference between ".1.doc" and ".doc.exe".  One is probably a legitimate email attachment and the other is an attack.

              Attila will probably confirm this, but I don't think you need to 'tune' this at all. VSE will still scan .xxx.exe files under normal circumstances regardless of the check box settings on this option. That setting is intended to catch all files with multiple 'extensions' regardless of the actual extension. It is a very simple rule which was effective years ago, but in my humble opinion, is not very useful today. (Most malware and particularly trojans, are more sophisticated today than simply changing the extension in order to hide executables, which I believe is the technique this option is trying to block.)

               

              As long as you have at least the Default extensions scanned (in OAS and ODS) than this should be covered. Also, make sure that if these files are coming in via email, that you have email add-on for Outlook running at the client or at least at your Exchange server. If you are using some other email client, ensure that MIME files are getting scanned in ODS to catch attachments that may be problematic.

               

              I hope this is helpful.

              Ron Metzger

              1 of 1 people found this helpful
              • 4. Re: VSE 8.7i Bogus Suspicious File Extension Errors
                Attila Polinger

                Hi,

                 

                I absolutely second Ron's views.

                I just would like to tell you of our practice: we do not use VirusScan to scan email messages, we use a groupware email scanner on the internal mail server.

                And I would by all means start with creating a file filtering policy in the groupware antivirus scanner, that blocks every executable attachments in mails, no matter what. And would not use the double extension blocking If I had one.

                 

                Attila

                • 5. Re: VSE 8.7i Bogus Suspicious File Extension Errors

                  Thanks fellahs!  This is why I am a part of this community.