PC Magazine's Editors Choice & Top Pick for the SMB
How it worksFree TrialVIP RewardsCompare all vq Products
Company | Products | Features | Partners | Support | The Lab | Contact Us | Home
 Vanquish Forum Index  FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
Search:    Advanced

Threat Detected: Double Barrelled Attachment

 
Post new topic   Reply to topic    Vanquish Forum Index -> Anti-Virus Issues
View previous topic :: View next topic  
Author Message
--VQ--
Site Admin


Joined: 06 Jan 2003
Posts: 590
PostPosted: Sat Apr 11, 2009 2:49 pm    Post subject: Threat Detected: Double Barrelled Attachment Reply with quote
Question:
An incoming message was interecepted because it contained a "double barrelled attachment".
--- What is that?
--- How can I get the message?
--- Does this indicate that it contains a virus?

Answer:
  • How to easily circumvent the problem (even with this attachment)
  • What is a double-barrelled attachment? Why is it dangerous?
  • The reason that we cannot be flexible on certain antivirus rules
1. You were sent a file attachment that ended with two extensions ("periods" followed by 3 or 4 letters) - like this: ~~~.com.eml. If the sender renames the file so that it does not contains multiple extensions, the message will not be blocked.

2. A double barrelled-attachment is always dangerous! Although it is technically not illegal (according to IETF RFP), it is used by hackers as a simple and effective way to fool the recipient and also many older PC programs into opening the file with the wrong application. Even if the file itself does not contain a virus, the misleading use of extensions (the first one is not the true extension - but is seen first by humans and some programs) it can cause unintended execution or the unintended launch of another program that was previously introduced onto the PC.

In this manner, a simple TEXT file that has been renamed "~~~.txt______.exe" could be used to launch a Spam-remailer that uses the text as its list of victims (both clever and fiendish). [More details].

3. Sometimes our customers point out that their own antivirus software admitted a double barrelled file. This is never a good practice. The blocking of double-barrelled attachments (regardless of content) has been classified "obligatory" by the largest consortiums of antivirus vendors for several years.

At Vanquish, we use the threat signatures and rules of a major consortium plus additional methods created in our own antvirus lab. These are updated every 4 hours. If we were to opt out of any base rule, we would no longer be allowed to use any of the rules. That is, members agree to never waive a base rule.

Why is there such a strict policy?...

This firm policy causes recipients and senders to push back quickly to sender's email service or program and OS developers. In so doing, it discourages the use of dangerous or deceptive practices.

Even if the attachment was renamed by the sender, the operating system or always-on antivirus watchdog should warn that the filename is deceptive and mimics a technique used by hackers to distribute viruses & worms. Our firm adherence to these guidelines helps prevent the propagation of trojans and viruses throughout the world.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Vanquish Forum Index -> Anti-Virus Issues All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2003 phpBB Group

search site | site map | privacy | credits | © 2005 Vanquish Inc