My question is:
Does your company remove (filter out) ZIP file attachments from emails?
I'm being asked by my company to review our policy on this and need data regarding other companies.
Thanks in advance.
Printable View
My question is:
Does your company remove (filter out) ZIP file attachments from emails?
I'm being asked by my company to review our policy on this and need data regarding other companies.
Thanks in advance.
Currently, we do not, but I too am in the process of taking at look at our current policies and revising as needed. I haven't made a decision as of yet regarding .ZIPs, but certainly we will continue to block any executable (.EXE, .COM, etc.). The problem with the .ZIPs is that there is some malware that is transferred via password protected .ZIP files in which some AV scanners couldn't pry into...
We remove only password protected .zip files.
Our antivirus gateway will scan within zip files, if it's a virus, it's gone, if not, it is passed on to its destination. Like cacosapo said, if its password protected its also deleted because the gateway can't open it to scan it.
Cheers:
We strip zip files only when they are password protected or a file inside them is infected.
We also strip all file types that are potential problems... dll, reg, exe, com, pif, etc
We strip Zips, (password protected or not), because I prefer to see the raw files themselves anyway. Generally this does not present a size issue for my company because most attachments are small(ish) Office docs.
We also block all executable content. Should executable content be required we will issue a login/passowrd combination to the FTP server in the DMZ and the user can place it there.
Same here..
zips are stripped and contents scanned..
MS executables (including but not limited to .exe .pif .scr .bat .cmd) are removed..
We remove zips, unless specific notice is given, we have never had people send us zips intentionally, if I worked at a place where we used zips more frequently, then I probably would work out a stripping solution like stated above. But since we dont use them 99.9% of the time, its just one less thing to have to support at the moment.
Hi ric-o, the general consensus seems to be removing the zip file. Or at a minimum the password protected files since virus scanners can't open them. I side on removing only password protected zips. We've gone back an forth on the issue since some customers have asked for information in a zip format. If I was going to decide to block zips today it could be done in seconds but could hurt the enterprise because of the way exchange and the virus scanning engine interact. Once that decision is made ALL messages, even those that have been setting in someone's inbox for months get cleaned. I would make an effort to see who uses them and in what aspect as well as the security aspect of monitoring files as they cross the mail servers.
[Harping on]
AV is reactive..... Blocking only Zips that are password protected and scanning the rest is no guarantee whatsoever that the enclosed code is not malicious.... Only that it is not recognized as malicious. Any Zip file can be self executing. If the AV product could also block self executing Zips then part of the battle would be won. Even if it could there will always be the trivially socially engineered user that will still click on the executable content of a zip file if it is delivered to them.
If your users are sophisticated enough to comprehend _executable_ content and zip files then they are easily able to comprehend passing files through a password protected FTP site which instantly mitigates email-borne threats. If they aren't then they don't need them anyway. If the sender sends a zip then they will be competent enough to unpack the file and send it in clear at the request of the recipient if it is only a jpg, tiff, word/excel/powerpoint doc. Since these are no longer common vectors the AV can pick them up easily and if the App is patched or more up to date then the auto-running macros can be prompted for or denied anyway.
Even if you are a shop that requires executable content to pass between a sender and a recipient there are less vulnerable methods of doing it. Why risk any exposure when none is necesary in a corporate environment?
[/Harping on]