August 19, 2018, 10:51:47 PM

Author Topic: Blocking Attachments w/ Norton AntiVirus 2.1 for Microsoft Exchange  (Read 6034 times)

0 Members and 1 Guest are viewing this topic.

Offline Tazinator

  • BOFH
  • Administrator
  • Forum Hero
  • *****
  • Posts: 524
  • Country: us
  • Kermit 0wnz j00!
    • https://keybase.io/portabletaz
I copied this thread from my post of it on the old Forum. I thought it would be nice to have as there seems to be a rise in email viruses again.

=========================================

In light of the recent outbreak of another wannabe Melissa virus today known as the VBS/SST, I decided to post this little tid bit of info involving Norton AV for Exchange 5.5 to help all you unfortunate Administrators out there who have to use this sorry excuse for a mail server.

One thing thats a pain is Exchange 5.5 doesnt allow blocking of messages by subject line so when one of these damn annoying viruses hits, you are sort of left defenseless. Well, if you have Norton AV for Exchange 2.1 thats not the case. Unfortunately, you will still have unwanted email traffic on your server, but you wont have the attachment being forwarded around to all those users who don't know any better and open every damn attachment they get in thier mailbox.

Norton will allow you to filter messages and lock attachments by name or file extension. I found this incredibly useful by simply blocking all *.vbs extensions and no matter what little kiddies release out there, if they are sent as a VBS file, as most re-mailers are, the attachment will be deleted. In all honesty, your users shouldnt have a need to forward VBS files to each other anyhow and if they ever did, they could just zip it or something. One would think if they are smart enough to know what a VBS file is, they should know how to use Winzip.

To block attachments by filename or extension:

You will need to open Regedit or another registry editing program.
All of the edits you need to make are in the following location on your Exchange server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.1\BlockingPolicy\Attachment]

First you need to specify the total number of file names or extensions to be excluded. We will use two in an example:

"AttachmentNamesCount"=dword:00000002

Now, you need to create a new registry string value for each file name or extension in the list. Be sure to follow the format of examples below:

"AttachmentNames0"="*.vbs"
"AttachmentNames1"="loveletter.vbs"
"AttachmentNames2"="filename.extension"

etc, etc

Be sure to change the number after AttachmentNames to make it follow in sequence.

Warning: If you decide later that you want to omit a file filter or extension filter, be sure to change the AttachmentNamesCount to reflect.

One thing to keep in mind is by default Norton will look for what you specify here in all attachments as well as embeded archives such as zip files. You need to specify not to check archived files and limit it to the actual atachment by the following:

Change the string value of AllowsChecksWithinArchives to 0.
Example:

"AllowsChecksWithinArchives"=dword:00000001

After you make these changes, you need to run NaveUpdate or restart the Norton service to have everything take effect.

I have enclosed an example registry key that I used today myself.
"A well known hacker is a good hacker, an unknown hacker is a great hacker..."

I don't care what your parents told you, you aren't special.