Policies - Dangerous File Types

Updated

This article contains information on managing Dangerous File Types in Mimecast, including considerations for balancing security and usability, default blocked file types, and the risks of removing file types from the dangerous list.

Overview

When considering what a dangerous file type is, we strike a balance between file types that:

  • Have a high-security threat.
  • They are commonly used and would create too much additional burden on end-users if considered unsafe.

Carefully consider the risks before removing a file type from the Dangerous File Types list, as doing so reduces your security. Threat actors frequently use heavily obfuscated executable (.EXE) files to evade detection and delay antivirus responses. Removing this file type from the list will significantly heighten your security risk.

What Gets Blocked By Default

By default, a Dangerous File Blocking policy blocks all dangerous file types. This includes any file types that could be used to deliver malware or other malicious content.

Dangerous file types encompass a wide range of executable files, scripts, and other potentially harmful formats, including but not limited to:

  • Executable files (.exe, .com, .bat, .cmd).
  • Script files (.vbs, .js, .jar, .ps1).
  • Shortcut and system files (.lnk, .scr, .pif).
  • Archive and compressed files that may contain malicious content (.arj, .gz, .rar, .zip when containing dangerous nested files).
  • Document files with macro or exploit capabilities (.docm, .xlsm, .pptm).
  • Other high-risk formats (.iso, .img, .vhd).

For the complete and current list of all file types that are blocked by default, see Dangerous File Types.

How Dangerous Files Are Detected

Mimecast examines the actual content and structure of message attachments to identify file types, rather than relying solely on file names or extensions. This means that renaming a dangerous file will not bypass detection. For example, an attachment named image002.unpacked_gz will be identified and treated as a .wmf (Windows Metafile) file if that is its actual file type based on content analysis.
This deep content analysis applies to files that are directly attached to emails, as well as those that are embedded or nested within other files or containers (such as within compressed or unpacked content).

What Happens When a Dangerous File Is Blocked

When a Dangerous File Blocking policy detects a dangerous file type, the file is blocked and stripped from the message before delivery. This applies whether the dangerous file is a top-level attachment or an embedded file detected inside another attachment. Using the earlier example, the attachment image002.unpacked_gz would be blocked because it was detected as a .wmf file, which is considered dangerous.
Once stripped, the file is not delivered with the email. The recipient is notified that some attachments have been removed, indicating that content was blocked for security reasons.

Considerations

When it comes to protecting your organization, it is also essential that:

  • You realize that just about any file type can contain a security threat, but that this doesn't make that file type inherently malicious. For example, Microsoft Office .GIF, and .PDF files are not considered dangerous, yet they can contain vulnerabilities.
  • Your users must know the potential threats of clicking on a URL. Our Targeted Threat Protection product protects your organization by blocking specific file types. If enabled, its user awareness setting can also educate users about the risks of clicking on a URL.
  • Attachment Management Policies can block, hold, or strip attachments.
  • When an attachment is deemed dangerous, the following notification is sent to the intended recipient:

Dangerous File Types

The following mime types and file formats are considered malware and therefore blocked:

Mime Type Dangerous File Types
all _exe, a6p, ac, acr, action, air, apk, app, applescript, awk, bas, bat, bin, cgi, chm, cmd, com, cpl, crt, csh, dek, dld, dll, dmg, drv, ds, ebm, elf, emf, esh, exe, ezs, fky, frs, fxp, gadget, gpe, gpu, hlp, hms, hta, icd, iim, inf, ins, inx, ipa, ipf, isp, isu, jar, js, jse, jsp, jsx, kix, ksh, lib, lnk, mcr, mel, mem, mpkg, mpx, mrc, ms, msc, msi, msp, mst, mxe, obs, ocx, pas, pcd, pex, pif, pkg, pl, plsc, pm, prc, prg, pvd, pwc, py, pyc, pyo, qpx, rbx, reg, rgs, rox, rpj, scar, scpt, scr, script, sct, seed, sh, shb, shs, spr, sys, thm, tlb, tms, u3p, udf, url, vb, vbe, vbs, vbscript, vdo, vxd, wcm, widget, wmf, workflow, wpk, ws, wsc, wsf, wsh, xap, xqt, zlq
application/hta hta
application/inf inf
application/java-archive jar
application/javascript js
application/macbinary
application/mac-binary 		bin
application/marc mrc
application/octet-stream bin, chm, com, jar, jsp, lnk, mrc, msi, py, scr, url, vbs
application/pkix-attr-cert ac
application/pkix-cert crt
application/vnd.adobe.air-application-installer-package+zip air
application/vnd.adobe.fxp fxp
application/vnd.android.package-archive apk
application/vnd.apple.installer+xml mpkg
application/vnd.fdsn.seed seed
application/vnd.ms-htmlhelp chm
application/winhlp hlp
application/x-applescript applescript
application/x-binary
application/x-macbinary 		bin
application/x-bytecode.python pyc
application/x-csh
application/x-photoshop
text/x-script.csh 		csh
application/x-internett-signup ins
application/x-msdownload exe
application/x-msi msi
application/x-newton-compatible-pkg pkg
application/x-python-code pyc, pyo
application/x-sh sh
application/x-silverlight-app xap
application/x-sprite spr
application/x-troff-ms
text/troff 		ms
application/x-x509-ca-cert
application/x-x509-user-cert 		crt
text/plain com, isu, mrc, url
text/xml msc
video/vdo vdo
video/x-isvideo isu

The following file types are considered dangerous when identified in URLs and will be blocked for URL file downloads and links in emails.

  •  .ace
  • .dex
  • .wim

See Also...

Related to

Was this article helpful?
2 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.