Filtering By Filetype

The antivirus cartel really has quite a racket going. They sell an antivirus solution that doesn’t solve anything. Rather than fixing this in the next version, they introduce the ability to ban file types at will. For some reason this is seen as a really good idea. Its really easy to ban SCR, PIF and REG file extensions. If InfoSec Professionals did a survey of their mail they would find 100% of messages with those attachment types were really viruses. That sort of review would justify blocking by attachment. Unfortunately, its never a review of that nature is never performed. Attachment types are just blocked because viruses come in with that extension.
I feel like I’ve played this game before. Four or five years ago, antivirus was such a hog, and computers so wimpy that the AV vendors encouraged us to scan specific file types only. The list would grow every month of what needed to be scanned. Lord help you if you missed adding SHS to the file type list and a virus came out using that attachment.
Its a game of file attachment blocking escalation that we lost before, pretty much everyone scans all files now. For file blocking, I think the checkmate came last July when viruses started being sent in password protected zips. How many places are able to blocks zips? If you block zips, what is next, doc, pdf, ppt? (virus file inside the ppt file. It should be coming soon).
Instead of being satisfied cutting out more and more user functionality and thinking this is normal for security, why not fix the antivirus system. A high degree of heuristics can work at the SMTP layer. MessageLabs does a good job of this. Or you can beef up how often your antivirus is updated at SMTP layer. I believe Postini checks for updates every 5 minutes If you are stuck with Symantec, look into using beta defs on your mail gateway. You need earlier protection than waiting for Symantec. Use multiple scan engines like Sybari, preferably including one like Kaspersky or F-Secure or Sophos that updates often.
Blocking file types just gives a false sense of security. It is a solution from the 90s. Its time for something better.