To Allow or Not Allow E-Mail Attachments?

t0pper311 asks: "I work for a pretty large utility company in the midwest and of course, security is a big concern. We use Trend Micro as a mail gateway to basically scan for virii and strip off most attachments like executables or VB script. Now with the Sobig.E virus on the loose, we need to ask ourselves if we should be blocking ZIP files. We got lucky this time and were not effected, but what about next time? What are other companies doing? If you do block ZIP files, how do you give the people who need to sends files the ability to do so? Do you allow any attachments at all?"

You get a virii scanner that can deal with zip..

Pretty simple really.

Given that most users love to download crap via hotmail etc. , lets hope you have a virus scanner on their PC too.

Similar issue happened like 10 years ago

[Smartcowboy]

10 years ago, on BBS (bulletin board system), every time someone uploaded something, the system automatically unpacked the { zip | rar | arj } on a temp directory. Then the content of the archive were automatically checked for virii with *MANY* anti-virus like MacAfee, FProt and MSAV (if the BBS were DOS-based). If the archive passed the test, it was made available to download by other user. Then, the temp directory was cleaned.

Business Risk versus Security Risk

[RedPhoenix]

This, and similar issues, have cropped up at a few of our customer sites over the years. There are situations where bringing in (documents/zip files/spreadsheets/etc.) are an essential part of making organisation function.

Whilst you can implement technical countermeasures to reduce your security risk somewhat, such as installing virus checkers that are able to unzip/unarj/unrar, keeping virus signature definitions up to date, quarantine incoming attachments.. etc, you really need to compare your security risk profile, with the business risk associated with NOT receiving these attachments.

This would normally be the function of your organisational risk assessment - it would compare the likely harm of virus infection, against the loss of capability as a result of not receiving the documents/zip files in question.

Which way you go, really depends on the threat/risk/harm/countermeasure equasion, which is unique to your organisation. However, a quick 'cheat' check:
* How badly is it going to hurt your organisation overall, if attachments don't come in?
* Do you have the resources to quickly clean up a virus attack if one makes it through?

- If you're a small organisation, with adequate IT staff numbers, and receiving attachments is pretty essential to your normal business... it's probably worth allowing things through.

- If your IT staff numbers are limited such that a virus attack would be a major cleanup effort, or attachments aren't all that critical, then block them, or quarantine them by redirecting them to technically literate help-desk users (who can forward them internally after checking them out).

However, make sure that you make it relatively painless for users to get their files. If you're really anal about things, they'll just open up a hotmail/yahoo/whatever account, ask people to send attachements there instead, and download just like a normal web link.

Red.

Re:You get a virii scanner that can deal with zip.

[Jucius+Maximus]

"Given that most users love to download crap via hotmail etc. , lets hope you have a virus scanner on their PC too."

That is true. At one company I worked (with several thousand employees) there was an virus outbreak every one or two weeks on the corporate network.

This reduced to once or twice per year after they blocked off hotmail, yahoo mail, lycos mail, ICQ, AIM, etc. And really, if you are smary enough to get around this an use a small webmail provider then you're smart enough to not download a virus as well.