How to add double extension files

elavionsistemas · 12-01-2009, 12:23 PM

Grettings Programs,

Today I receive the 1st scam file from south africa, as always promoting scandalous video:
The subject: [SPAM] Dinfunden Video intimo de Anahi y Maradona

Inside the html mail have this IP.
*** WARNING don't clic the link, I scan the file with clamwin, avast, malwarebytes and neither detect as "dangerous", but I think is a bad thing

h**p://196.34.243.14/videos/televisa/televisa.php
** I report this site with firefox, early in the morning, and in this moment I can't access anymore, but before being blocke I can download the "video" served:

VideoXXX_Anahi-Maradona.mpeg.exe

I add the double extension on web filter, but Untangle don't stop the download. I test this scenarios:

a) PC (192.x.y.10) -> untangle (ip on pass list): file downloaded
b) PC (192.x.y.10) -> CCproxy (192.x.y.9) -> Untangle : file downloaded
c) PC (192.x.y.10) -> CCPRoxy (192.x.y.12) : File downloaded

Of course my PC is in windows xp with this configuration
Ethernet adapter 00 LAN:
Connection-specific DNS Suffix . :
IP Address. . . .: 192.x.y.10
Subnet Mask . . .: 255.255.255.0
Default Gateway .: 192.x.y.16
DNS Servers . . .: 192.x.y.4 n 192.x.y.16

I don't know but I can download many times the double extension file, and Untangle don't block the file.

Can someone explain if I do something wrong or how to solve this kind of issue, for every double extension file on the web, I found a virus-trojan-worm, I see that even a product like kerio mail server can block this files from attachment. Is posible to implement this on Untangle?

BTW, I Need to check in web filter the option:
Block pages from IP only hosts, and only with this I stop gettin the file.

NOTE 1:

Sorry, but I forgot where on untangle I add the double extension filter, Im at office and got a distraction, I'll test this scenario again using a web server and faking the double extension file to see again if I can get it working or fail in this "issue".

NOTE 2: Untangle works (of course) I need to restart my browser to see the double file extension filters to work

This was that I do, please if I'm doing something wrong correct me.

I add two filters on
Default Rack > Web Filter > File Types
.mpeg.exe > block(x) log(x)
mpeg.exe > block(x) log(x)

and before the site was "disables" I add this
Default Rack > Web Filter > Sites
196.34.243.14 > scam South Africa

and to be sure that antivirus do something:
Default Rack > Virus Blocker > Web > File Extensions
File Type Scan Description
mpeg.exe (x) mpeg.exe

Now I believe that I need to add more double extension, but I wonder if untangle allows wildcards like:
.*.exe
.*.com

Or I need to add: .ppt.exe, .ppt.com, .doc.exe, .doc.com, .doc.pif, .doc.cmd for all the very ugly things?

NOTE 3:
Be warned, that filters don't work on PCs in the allowed list on:
Default Rack > Web Filter > Pass Lists > Cliente IP addresses

I put myself in danger with this kind of choice.
Can I suggest to Untangle an option to enforce the filter of this kind of file types even if the user is on the Pass Lists ?, sound like redundancy but, I'm in the pass list to use some services from time to time, pidgin or gmail, and as administrator of the Untangle box I need to get files or protocols, but even be safe with this kind of filters, and only to check is they work like today.

Regards Untangle

dwasserman · 12-03-2009, 06:00 AM

try use mime types , the extension can be a fraud

12-01-2009, 12:23 PM	#1 (permalink)
elavionsistemas Untanglit Join Date: Jun 2009 Posts: 24	How to add double extension files Grettings Programs, Today I receive the 1st scam file from south africa, as always promoting scandalous video: The subject: [SPAM] Dinfunden Video intimo de Anahi y Maradona Inside the html mail have this IP. * WARNING don't clic the link, I scan the file with clamwin, avast, malwarebytes and neither detect as "dangerous", but I think is a bad thing hp://196.34.243.14/videos/televisa/televisa.php ** I report this site with firefox, early in the morning, and in this moment I can't access anymore, but before being blocke I can download the "video" served: VideoXXX_Anahi-Maradona.mpeg.exe I add the double extension on web filter, but Untangle don't stop the download. I test this scenarios: a) PC (192.x.y.10) -> untangle (ip on pass list): file downloaded b) PC (192.x.y.10) -> CCproxy (192.x.y.9) -> Untangle : file downloaded c) PC (192.x.y.10) -> CCPRoxy (192.x.y.12) : File downloaded Of course my PC is in windows xp with this configuration Ethernet adapter 00 LAN: Connection-specific DNS Suffix . : IP Address. . . .: 192.x.y.10 Subnet Mask . . .: 255.255.255.0 Default Gateway .: 192.x.y.16 DNS Servers . . .: 192.x.y.4 n 192.x.y.16 I don't know but I can download many times the double extension file, and Untangle don't block the file. Can someone explain if I do something wrong or how to solve this kind of issue, for every double extension file on the web, I found a virus-trojan-worm, I see that even a product like kerio mail server can block this files from attachment. Is posible to implement this on Untangle? BTW, I Need to check in web filter the option: Block pages from IP only hosts, and only with this I stop gettin the file. NOTE 1: Sorry, but I forgot where on untangle I add the double extension filter, Im at office and got a distraction, I'll test this scenario again using a web server and faking the double extension file to see again if I can get it working or fail in this "issue". NOTE 2: Untangle works (of course) I need to restart my browser to see the double file extension filters to work This was that I do, please if I'm doing something wrong correct me. I add two filters on Default Rack > Web Filter > File Types .mpeg.exe > block(x) log(x) mpeg.exe > block(x) log(x) and before the site was "disables" I add this Default Rack > Web Filter > Sites 196.34.243.14 > scam South Africa and to be sure that antivirus do something: Default Rack > Virus Blocker > Web > File Extensions File Type Scan Description mpeg.exe (x) mpeg.exe Now I believe that I need to add more double extension, but I wonder if untangle allows wildcards like: ..exe ..com Or I need to add: .ppt.exe, .ppt.com, .doc.exe, .doc.com, .doc.pif, .doc.cmd for all the very ugly things? NOTE 3: Be warned, that filters don't work on PCs in the allowed list on: Default Rack > Web Filter > Pass Lists > Cliente IP addresses I put myself in danger with this kind of choice. Can I suggest to Untangle an option to enforce the filter of this kind of file types even if the user is on the Pass Lists ?, sound like redundancy but, I'm in the pass list to use some services from time to time, pidgin or gmail, and as administrator of the Untangle box I need to get files or protocols, but even be safe with this kind of filters, and only to check is they work like today. Regards Untangle Last edited by elavionsistemas; 12-01-2009 at 01:32 PM.. Reason: adding a note + a mistake + a suggestion

12-03-2009, 06:00 AM	#2 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,557	try use mime types , the extension can be a fraud