Best Practices for Finding Executable Content

UPDATE (October 14, 2016): We now recommend using the Common Attachment Types Filter to block file types as opposed to using transport rules. Take a look at my updated post, Common Attachment Types Filter, for more information on this new filter.

 

This article may be common knowledge for some, but it is important to revisit and refresh ourselves on. You may be aware of what content EOP will flag as being executable, or you may not. In either case, I think this is an important topic so sit back, relax, and read on.

Transport Rules

One of our best practices is to create a transport rule which blocks executable content. This would look as follows.

The reason we suggest creating this rule is that it acts as a second line of defense for catching zero day malware. If a zero day attack is missed by the EOP malware filters but is being delivered in the form of an executable attachment, this rule will stop those messages from reaching your end users.

The beauty of this transport rule predicate is that it will also catch executable files that have had their extensions renamed. For example, if the file notavirus.exe is renamed to notavirus.txt and attached to an email, this transport rule will still fire.

If you instead created a transport rule with the predicate, Any attachment’s file extension matches…

This transport rule WOULD NOT fire if a file with a matching extension has its extension renamed. With this rule, if the executable notavirus.exe was renamed to notavirus.txt, this rule would not fire. This predicate should only be used to block extensions that do not fall under what we consider “executable content.”

What is considered an executable?

What EOP considers as executable is nicely documented on TechNet, however it is a little buried. The list of file types can be found on the TechNet page Using transport rules to inspect message attachments. Scroll to the bottom of this article and look for the table under the heading Supported executable file types for transport rule inspection.

To save you a click, the current list is as follows.

Type of file Native extension
Self-extracting archive file created with the WinRAR archiver. .rar
32-bit Windows executable file with a dynamic link library extension. .dll
Self-extracting executable program file. .exe
Java archive file. .jar
Uninstallation executable file. .exe
Program shortcut file. .exe
Compiled source code file or 3-D object file or sequence file. .obj
32-bit Windows executable file. .exe
Microsoft Visio XML drawing file. .vxd
OS/2 operating system file .os2
16-bit Windows executable file. .w16
Disk-operating system file. .dos
European Institute for Computer Antivirus Research standard antivirus test file. .com
Windows program information file. .pif
Windows executable program file. .exe

If your transport rule is set to look for Executable Content, the above file types will cause the rule to trigger even if their extension is renamed.

Last Words

I mentioned above that one of our best practices is to create a transport rule which will trigger on executable content. I would highly recommend this, along with other great best practices can be found on the TechNet page Best practices for configuring EOP. This page also lists other file extensions that you may wish to block through a transport rule that looks at an attachments extension (see the section Extension Blocking).

Resources

Using transport rules to inspect message attachments Best practices for configuring EOP