Interesting question from a customer: “Why should we block .EXEs?”
posted by Yves Lacombe in Best Practices on May 26, 2010
The short answer: because all malware/viruses/worms are executables and the principal type of executables are EXE files (in a Windows-based environment).
The majority of phishing attempts with drive-by-downloads try to entice you to download EXE files and run them locally. EXE files should always be blocked. You can open certain files on a case-by-case basis and in a very controlled fashion, but that’s the extent of it.
EXE files are one of the primary vectors of attack, however they work in concert with the fact that most Windows installs are in DEFAULT PERMIT mode and the user operates the computer in an administrative context.
Transferring EXE files wouldn’t be a problem if all users operated in an “ordinary user” context, thereby being prevented from installing programs without increasing their security level (i.e., as in Ubuntu Linux where you have to grant permission to run the programs as root, a sudo ‘do-something’).
Windows’ DEFAULT PERMIT1 approach is probably the cause of most of the security problems we have today. That and lazy users! If everything was instead DEFAULT DENY, there would be much less need for security solutions.
Another problem stems from the fact that it’s darned hard to create an account in Windows that limits execution. You can setup group policies, sure, but a lot of software programs expect full control over resources to be able to function properly. The blog 2 referenced below reviews a great program called “ExeLockdown” that lets you define the allowed executables on your system versus having to list all possible malware (i.e. enumerate “goodness”). It’s a lot easier to whitelist the 30 or so apps that you run than to blacklist half-a-million (and growing) executables.
Hence, IMHO, this is why we must block EXEs.
References:
1. http://www.ranum.com/security/computer_security/editorials/dumb/
2. http://www.ranum.com/security/computer_security/index.html
Share this article
|
|||
| Share |
|
Comments
The customer in question was having problems with a cranky end-user wanting some justification why he [the end-user] wasn’t allowed to receive EXEs over Email. He wanted a “blurb” so I gave him one 
By Yves Lacombe on 2010 05 31
Yep, we’ve been blocking those and ZIP files forever, and I can’t imagine someone with email security responsibilities would pose that question!
By PaulK on 2010 05 28