blocking double extensions

is there a way to block attachments with double extensions?

and is it common to find a few such files on your hard drive, such as tmp.exe files?

a trojan scan just turned up a half dozen of these, issuing a warning. however, they also state that, "Many files which are named this way are perfectly harmless ".

any input is appreciated.



mark

 

mr.mark--Some firewalls and some antivirus programs will block certain files attached to emails if you set them up to do so. Outlook Express 6 will do it as well--see OE Tools|Options|Security tab.
Usually the ones blocked are what are call executables, like .exe, .vbs and .js. However the program has to be able to recognize them, and files with double extensions often are seen by the program as being of the first file type and not the second. In fact the second file type may be hidden to you as well. And it is the second file type which represents the real file type of the attachment.
I suspect you know all this and that is why you are asking. Executable attachments can be harmful to your PC and attachments with double extensions are used to sneak executables past you and the protective programs. I may be wrong, but I do not think there are many if any legitimate files with double extensions.
See
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q="double+extension"+file&btnG=Google+Search
The best advice I can offer is to click Start|Settings|Folder Options|View tab| and make sure the box "Show all Files" is checked and that "Hide File extensions..." is not checked. Then do not open any attachment, even from friends, until
1) You have saved it and scanned it with an antivirus program.
2) You right click on it, click properties and look on the line called Type. The true file type will be shown on that line.
If you have files named .tmp.exe already on your PC, I would suggest you do not open them, unless you are sure what they are. I think they often are associated with the Nimda and Sircam viruses. It would be best to delete them--perhaps by storing them in the Recycle Bin for a week or so to be sure you do not need them. Then delete for good. I think your trojan scan is doing its job. Have you an active antivirus program with up-to-date virus definitions on at all times? You might want to run a scan with it.

Someone else may know of other ways to protect yourself from these type of attachments.

 

hi welshjim

yes i run nav2002 with current virus defs downloaded daily and full system scans run daily. to double-check these suspected files after they were flagged by the anti-trojan tool, i scanned each file individually with nav.

i do have folder options in explorer set as you've noted, to show extensions. but that doesn't mean i get to see everything that finds its way onto my puter, thus the question about how to block attachments with double extensions.

to my knowledge, symantec products do not block these double extension attachments. at least i haven't seen a configurable option for doing it.

i've always known enough to be on the lookout for them, but until i ran trojanhunter scan, i didn't know i had a few on my pc. trojanhunter warned me about them, and i now know what program they are associated with. again, the anti-trojan vendor said, "Many files which are named this way are perfectly harmless ". but i'm looking very seriously at them, and may submit them to the vendor for further study. but no, i won't click on them! <g>

btw, on another operating system trojanhunter found double extension update files from blackice defender, a firewall i have long since removed, but these puppies were still in the downloads folder.

maybe other readers will offer ideas on how to block double extension attachments.

btw, trojanhunter also finds and flags NTFS alternate data stream files... which looks like a whole new can of worms (no pun intended).

anyway, your input is much appreciated.



mark

 

You set Windows to NOT hide extensions of registered file types.

 

that is essentially what welshjim said... "and that 'Hide File extensions...' is not checked "

but i'd like to point out that regardless of whether folder options are set in explorer to display or not to display extensions, it does not do anything about blocking double extensions.



mark