mIRC Home    About    Download    Register    News    Help

Print Thread
Update list of high-risk executable files for DCC #248879 01/11/14 11:46 PM
Joined: Feb 2003
Posts: 2,669
Raccoon Offline OP
Hoopy frood
OP Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,669
http://pcsupport.about.com/od/tipstricks/a/execfileext.htm

The current DCC Ignore list is lacking quite a number of these Windows executable filetypes. I'm not going to say any of these are a big issue (at the moment) but the variety of executable file extensions has indeed expanded.

Eg: .CMD files are just .BAT files. *.bat appears in the ignore, but *.cmd does not... leaving an opportunity for abuse.


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Re: Update list of high-risk executable files for DCC [Re: Raccoon] #248929 05/11/14 04:03 PM
Joined: Dec 2002
Posts: 86
Zmodem Offline
Babel fish
Offline
Babel fish
Joined: Dec 2002
Posts: 86
I'm assuming you mean updating the default list of ignore/accept-only? I guess it's a decent idea, but bear in mind that this is an option users can update manually as well. If a person has made it far enough to reach the ignore/accept-only portion of the options (and most should if they expect to use DCC at all), then I'll assume they should be comfortable adding their own extensions.


-Zmodem
Re: Update list of high-risk executable files for DCC [Re: Raccoon] #248932 05/11/14 08:24 PM
Joined: Dec 2002
Posts: 4,586
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,586
I could add a few more items to the "ignore list" but it is not meant to be a comprehensive list and is just an example list that users can update. Any new additions would be arbitrary since there are so many criteria for deciding what is or is not dangerous. Should only directly executable extensions be included? How about script extensions, such as perl, python, php, and so on, which might be automatically run if the user has those script languages installed and they double-click on a file with that extension? How about files such as documents, spreadsheets, powerpoints, and so on, that can contain macros? How about certificate files, such as .cer, .crt, .der, that can install malicious certificates? How about extensions that are normally safe but are often the targets of newly discovered exploits? And so on.

I looked through a number of websites that list potentially dangerous file extensions and ended up with a list of 160+ extensions related to scripts, macros, executables, system files, and configuration files. Most applications, security or otherwise, warn/block a very small, arbitrary subset of these extensions. They also exclude some extensions that are often the target of exploits because they are popular formats.

Basically, I am not sure mIRC is the ideal arbiter of what files should be ignored. The files in the "accept" and "ignore" list are just a starting list. The "accept list" is enabled by default with a small number of popular extensions, so ideally users would just add extensions that they want to accept to this list. Using the "ignore list" probably is not a good idea as the list can never be comprehensive. It really is up to the user to decide which files to accept/ignore and to make sure that they have anti-virus/security software installed.

Update: Updated post after more research.

Last edited by Khaled; 10/11/14 11:19 AM.
Re: Update list of high-risk executable files for DCC [Re: Khaled] #248935 05/11/14 10:43 PM
Joined: Dec 2002
Posts: 86
Zmodem Offline
Babel fish
Offline
Babel fish
Joined: Dec 2002
Posts: 86
All nonsense aside, let us not forget VBS causing that huge uproar years ago, only the most prominent should be of concern here. .exe, .bat, .com, .htm, .html, .dll, etc. I think providing the list that is currently included is enough. Who are we to say that certain users don't KNOW that they want to be bothered with executing something? It's not really mIRC's job to provide all protection methods, but the fact that it does provide a method to allow users to make that decision for themselves should be enough.

Last edited by Zmodem; 05/11/14 10:46 PM.

-Zmodem
Re: Update list of high-risk executable files for DCC [Re: Raccoon] #249073 13/11/14 11:49 AM
Joined: Dec 2002
Posts: 4,586
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,586
As Raccoon pointed out, the default accept/ignore list in mIRC has been the same for a very long time.

I mentioned in my previous post that I looked through a large number of lists on websites and in applications (security, email, and so on) to try to get an idea of the types of files that are commonly blocked nowadays. I ended up with a combined list of 160+ file types that are (or were at some point in time) considered potentially dangerous. Unfortunately, many of the lists I came across seemed to be old, were put together arbitrarily, and varied greatly. So I was a little reticent to update the lists in mIRC without a clear idea of what should be in them.

I eventually came across the blocked attachments list of Outlook 2013, which includes around 90 file types. This is a reasonably up-to-date, Windows-specific list. So I have decided to use it (with a few additions) as the new "ignore list", which will be:

*.ade,*.adp,*.app,*.asp,*.bas,*.bat,*.cer,*.chm,*.cmd,*.com,*.cpl,*.crl,*.crt,*.csh,*.der,*.dll,*.exe,
*.fxp,*.gadget,*.hlp,*.hta,*.htm,*.html,*.inf,*.ini,*.ins,*.isp,*.its,*.js,*.jse,*.ksh,*.lib,*.lnk,*.mad,
*.maf,*.mag,*.mam,*.maq,*.mar,*.mas,*.mat,*.mau,*.mav,*.maw,*.mda,*.mdb,*.mde,*.mdt,*.mdw,
*.mdz,*.mht,*.mhtm,*.mhtml,*.mrc,*.msc,*.msh,*.msh1,*.msh1xml,*.msh2,*.msh2xml,*.mshxml,
*.msi,*.msp,*.mst,*.ocx,*.ops,*.pcd,*.pif,*.plg,*.prf,*.prg,*.ps1,*.ps1xml,*.ps2,*.ps2xml,*.psc1,
*.psc2,*.pst,*.reg,*.scf,*.scr,*.sct,*.shb,*.shs,*.sys,*.tmp,*.url,*.vb,*.vbe,*.vbs,*.vsmacros,*.vsw,
*.vxd,*.website,*.ws,*.wsc,*.wsf,*.wsh,*.xnk

I will also be updating the "accept list" (based to some degree on this list) to these:

*.7z,*.avi,*.bmp,*.divx,*.gif,*.gz,*.ico,*.iso,*.jpeg,*.jpg,*.log,*.mid,*.mp3,*.mp4,*.mpeg,*.mpg,
*.ogg,*.png,*.rar,*.tar,*.tgz,*.txt,*.wav,*.wma,*.wmv,*.zip

The above list includes common media and compressed file types but excludes a large number of popular file types (doc, xls, pdf, swf, mov, etc.) that are more often the target of exploits.

These will be in the next version of mIRC for new installations. For users who upgrade, the next version will check to see if a user's "ignore list" is using the default old "ignore list" and if it is, it will be updated to the new "ignore list". The "accept list" will not be updated.

I have also added a "Reset" button to the DCC Ignore dialog that will pop up a confirmation dialog asking the user if they want to reset their "accept list" or "ignore list" to a default set of file types.

If anyone has any suggestions or comments on this change, please post them here.