back to article Sophos U-turns on lack of .bat file blocking after El Reg intervenes

Sophos' WS1000 web appliance not only fails to include batch files in its download file type block list, but said it would only include the ability to block them as a feature. WS1000 is an enterprise-targeted secure appliance and intends to protect "every user, on every device, everywhere they go" by prohibiting particular end …

  1. Mage Silver badge
    Mushroom

    So...

    what about .cmd or .scr or .reg or a load of more obscure endings?.

    I have no confidence in this product.

    1. Ol' Grumpy
      Joke

      Re: So...

      "what about .cmd or .scr or .reg or a load of more obscure endings?."

      So long as they don't block 'el .reg - that would ruin my day ;)

      1. Anonymous Coward
        Anonymous Coward

        Re: So...

        I presume they are blocked but .bat was missed because it was forgotten about having been superseded by .cmd years ago , although all the batch scripts being written to deploy apps by people on far more than money me are using .bat . the tards. and written badly too.

    2. MyffyW Silver badge

      Re: So...

      "There is no feature. But be strong. All the best. Have a good day, and good health,"

    3. el_oscuro

      Re: So...

      .com, .pif, and .bin are also oldies but goodies.

  2. JimmyPage Silver badge
    FAIL

    Hang on a second

    so it's *relying* on the extension to determine the file type ?

    No. Please no.

    I predict we will see a lot more of this, as the young hipsters swagger into the office, and the old greybeards leave.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hang on a second

      Actually, as far as I can tell, OSX doesn't use the magic number concept either, hence whinging if you try and change an extension.

      1. Steve Todd

        Re: Hang on a second

        Like all Un*x variants OSX has an Executable bit in the permissions for a file (rwx flags). You can mark anything you want as executable (though it may not run unless it contains a binary).

        1. Tom Chiverton 1

          Re: Hang on a second

          " (though it may not run unless it contains a binary)."

          Or a script

        2. Anonymous Coward
          Anonymous Coward

          Re: Hang on a second

          Block them all!

          It's the only way to be sure.

          Seriously, I worked for a company that filtered out all attachments (except for .TXT files). Some of the security team even argued against that. Why?

          Imagine a malicious text file containing malicious command lines. It could be mailed, downloaded, extension renamed to .cmd or .bat and then PRESTO you have mail-borne malware at your service, albeit very old school style. You'd still need a socially engineered dummy on the end of the phone to deliver the payload but they are pretty easy to find.

          1. Seajay#

            Re: Hang on a second

            If you can convince the recipient to rename and run the attachment, you could probably convince them to do Ctrl+C Win+R Ctrl+V

            Best thing would be to block text even in the body or subject line of the email.

            1. Anonymous Coward
              Anonymous Coward

              Re: Hang on a second

              If you can convince the recipient through text in the body or subject line of the email, then malicious instructions can probably be delivered directly to the recipient's brain using an old-fashioned phone line, or even in-person contact; the only way to be secure, then, is to quietly disconnect keyboard, mouse, and other potential brain-to-computer malicious code transfer vectors from the recipient's machine, and hope no-one notices.

        3. Steve the Cynic

          Re: Hang on a second

          "Like all Un*x variants OSX has an Executable bit in the permissions for a file"

          Two bits of pedantry for you.

          1. The executable bit is a property of the file system type, not the operating system.

          2. NTFS has one, too.(1)

          (1) I didn't know this either, until I did something unusual with Cygwin and ended up with a .EXE that could not be executed because it didn't have the Executable permission...

          1. Michael Wojcik Silver badge

            Re: Hang on a second

            The executable bit is a property of the file system type, not the operating system.

            Yes, though the standard set of filesystem access permissions is standardized by SUSv3 (and has been part of that line of standards since POSIX).

            NTFS has one, too

            No, it doesn't. NTFS has ACLs, and Cygwin uses them to emulate POSIX permissions.

            1. Steve the Cynic

              Re: Hang on a second

              "No, it doesn't. NTFS has ACLs, and Cygwin uses them to emulate POSIX permissions."

              Well, when you look at the permissions on an ACL, there is one marked something along the lines of "executable". (On my system, whatever it actually says has been replaced by a French word ...)

    2. Daniel von Asmuth Bronze badge
      FAIL

      Re: Hang on a second

      I have noticed that many Windoze boxen are infested with malware that will block e-mail messages with attached program files (with suffixes like '.exe' or '.com'. A major nuisance if you want to send your latest program to a friend.

      1. JoeF

        Re: Hang on a second

        Put it on a server or in the cloud, and send them a link.

      2. Richard Boyce

        Re: Hang on a second

        So if your friend gets an email that purports to be from you and has an .exe file attached, he should run it, right?

        Are you sure he's your friend?

  3. DropBear Silver badge

    Okay, well, while we're at it...

    ...they do know TTF fonts can contain program code running on a VM proven to be breakable, right? Are TTF files blocked too...?

    1. John Brown (no body) Silver badge

      Re: Okay, well, while we're at it...

      And JPGs, don't forget JPGs. And various video files.

  4. Buzzword

    ren virus.csv virus.exe

    Presumably you can send a malicious payload with a trusted extension, combined with a .bat file to rename it. Pwnage done.

    1. Crisp Silver badge

      Re: ren virus.csv virus.exe

      rem Use .cmd extension to bypass .bat filter.

      copy con script.cmd

      ren virus.csv virus.exe

      ^z

      1. Anonymous Coward
        Anonymous Coward

        Re: ren virus.csv virus.exe

        Hah! Real hardcore hackers use "copy con virus.exe" :)

        1. Crisp Silver badge

          Re: ren virus.csv virus.exe

          Real harcore hackers use a magnetised needle and a steady hand.

          1. scrubber
            Big Brother

            Real har[d]core hackers use...

            ...undersea fibre optic taps.

          2. P. Lee Silver badge

            Re: ren virus.csv virus.exe

            Real hardcore hackers get their victim to use their own magnet, needle and steady hand... to remove their own building's hardcore.

    2. Anonymous Coward
      Anonymous Coward

      Re: ren virus.csv virus.exe

      Nah, real hardcore hackers are too busy hacking hardcore to bother.

      I'm just not sure whether that's 'hacking' as in 'hacksaw' and 'hardcore' the building material, or whether it's 'obtaining unauthorised access' and 'pornography'

    3. Daniel von Asmuth Bronze badge

      Re: ren virus.csv virus.exe

      What's wrong with uudecode?

  5. DaLo

    Are they actually saying that you can't add your own custom extensions and rules, you have to wait for a feature to be upvoted and added?

    That's a dynamic way to operate in today's security landscape where zero-days are abundant. Reminds me of the good old days where you could opt for quarterly or monthly AV updates to be sent out on disk.

    1. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Custom extensions

      Does seem pretty lame to not allow the addition of any extension or substring to the block list.

      Is this application written by script kiddies?

  6. Lamont Cranston

    Probably safe to assume that no one involved in this product is over the age of 30,

    and thus have never heard of .bat.

    1. cbars

      Re: Probably safe to assume that no one involved in this product is over the age of 30,

      Hey! I'm under 30 (just), I've heard of them!

      I use them to beat intruders with. If the intruder is in a machine, I beat the machine with it until the intruder can't to any more damage.

      Sorted.

  7. Mark 85 Silver badge

    WS1000 appliance was able to download .bat files, an old Windows file extension

    Really? I remember them in DOS along with using .sys files. Where's the old geezer icon when you need it...

    1. Martin
      Windows

      Where's the old geezer icon when you need it...

      There you go!

    2. Just Enough

      Either The Reg is now being written by ten year olds, or I'm getting old.

      Windows file extension, indeed.

  8. Mage Silver badge

    File Endings

    FIRST hit on Google

    50 potentially dangerous file extensions on windows

    Yes, it's got bat pif scr cmd etc.

    1. JimmyPage Silver badge
      Thumb Up

      Re: File Endings

      Upvote sir !

      For ".pif" last seen by me on Win3.1/95/ME

    2. willi0000000

      Re: File Endings

      Mage, thank you for the timely warning . . . i shall never again open an etc file!!!!!

      [ i know . . . i'm an idiot . . . if we ever meet i owe you a beer ]

    3. John Brown (no body) Silver badge

      Re: File Endings

      "Yes, it's got bat pif scr cmd etc."

      ZOMG! My BSD box has got whole DIRECTORY called etc!!!! I'm pwned!!!!

      Oh, it's ok. I deleted it :-)

      1. Michael Wojcik Silver badge

        Re: File Endings

        I deleted it

        You jest, but I'm sure more than one person here has seen someone do that.

        Back in the day, when disk space was scarce, a fellow developer was cleaning up an AOS1 machine, trying to free up some space. He spotted /bin/[, thought "that must be some crap that got created accidentally", and deleted it.

        Of course /bin/[ is a (hard) link to /bin/test, and is used to implement the "[ -whatever ...]" syntax in the Bourne shell, which does not have it as a built-in. (This the the real Bourne I'm talking about, not one of your "we call it /bin/sh but it's just a link to bash or some other monstrosity" shells.) And it is used by many a shell script in the AOS / BSD 4.x /etc/rc sequence.

        Took a while to get his machine booting again.

        1IBM's port of BSD 4.x to the PC RT and the "Crossbow", a never-released RT-on-a-card for the PS/2.

  9. Mephistro Silver badge
    Pint

    And this is what Elreg is all about!

    Improving security through knowledge sharing, discussion, beer and LOLs!

    Add my (virtual) thumbs up for the article!

  10. Steve Graham

    It's a long time (15 years or so) since I used Windows, but I seem to remember that the system did NOT use the file extension to work out how to execute an executable. I think if you had a binary executable something.exe and renamed it to something.bat it would still work. Or is dementia kicking in?

    1. Boothy

      Perhaps in the past, but certainly not in recent years.

      Trying to run a bat file, with a .exe extension, either from command line, or double-clicking in explorer, fails with an error. (I just tested in Win 7 out of curiosity).

      1. joeldillon

        That's the reverse of what he said. I suspect renaming an executable .bat and running it will work, because the check for any file will look like:

        'Is this a PE/COFF file? great, I'll run it!'

        or

        'Oh it's not? Well what program do I have associated with *.bat, oh it's cmd.exe, great, I'll run 'cmd.exe foo.bat'.

        This is broadly similar to how Unix does it, except the association is the #! line at the top of the script rather than being a central registry elsewhere in the OS.

    2. Mage Silver badge

      Not using a file extension

      Linux, UNIX, BSD etc doesn't care about extension. You have to set "execute".

      1. Seajay#

        Re: Not using a file extension

        Well that doesn't seem like a good idea. I'm sure it's possible to delicately craft a file which could be interpreted either as an binary executable or as a text batch file. If you just rely on the executable bit, how do you know which interpretation to make.

  11. tiggity Silver badge

    bat files still in use here

    I use them after any code change to get change from source control then fire off msbuild clean, build and package operations (ms tools for compiling code and then packaging it) followed by the bat file launching scripts (powershell, supporting more complex doze scripting than .bat files do) to then deploy on the test environment and run tests.

    Realised that sounded scarily DevOps - but (automated build & deploy & test) it the sort of thing that has been done for ages, in many companies,well before DevOps became a buzzword.

  12. jake Silver badge

    "An executable file type"

    No. Batch files are not executable. They are interpreted. Big difference.

    That said, Sophos just proved why nothing beats a decent sysadmin staff ;-)

    1. Anonymous Coward
      Anonymous Coward

      Re: "An executable file type"

      Arguable. A typical definition of "executable", in this case from wikipedia;

      In computing, an executable file or executable program, or sometimes simply an executable, causes a computer "to perform indicated tasks according to encoded instructions,"

      A script or batch files certainly meets that definition. They may not be compiled binaries, but they do contain a sequence of instructions which gets executed when the script is run. For a compiled language, the executable is the output of the compiler; you can't execute the source code directly. But for an interpreted language, the source code is the executable; that's what you run. It may not be an entirely usual usage of the term, but I think it stands up.

      1. Stevie Silver badge

        Re: "An executable file type"

        Also: if you set the executable bit on a unix script file it executes just like a command from the POV of the typist.

        Which is how you can suborn unix servers by replacing binary stuff in /bin and /sbin with malicious kiddie scripts.

        Came across a real world example in a discussion of hacker use cases some years ago. Hard to do if the SAs know even half their job, but who routinely checks the stuff in /bin to see if the content has changed against some baseline?

        1. Anonymous Coward
          Anonymous Coward

          Re: "An executable file type"

          "... who routinely checks the stuff in /bin to see if the content has changed against some baseline?"

          <blush>

        2. Fonant

          Re: "An executable file type"

          rkhunter, run nightly

          csf, running all the time

        3. Vic

          Re: "An executable file type"

          Which is how you can suborn unix servers by replacing binary stuff in /bin and /sbin with malicious kiddie scripts.

          If you can replace the executables in /bin and /sbin, you've already got full control over that box.

          but who routinely checks the stuff in /bin to see if the content has changed against some baseline?

          Many of us. It's trivially easy to get a full check automatically using find /bin -exec rpm -qf {} \; | sort | uniq | xargs rpm -V . That sort of thing can even be scripted if it's considered important...

          Vic.

  13. chivo243 Silver badge

    Back in the day

    a colleague used to change the .exe to something else with instructions to change back when you downloaded it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Back in the day

      That's why AV doesn't rely on extensions, solely. They look at the header of the file to determine what it really is.

  14. adam payne Silver badge

    "We would like to reassure Sophos Web Appliance customers that the absence of the ability to block .bat files does not represent a software vulnerability in the SWA code but it is an ability we will add to improve the filtering policy options for our customers."

    It was never suggested that it was a vulnerability in the coding. It was pointed out that you aren't blocking .BAT files from the web. I would certainly expect any product to do that automatically or at least give you the option to do so.

    "Upon further checking, .bat file is not included in the download file type list. For that concern, you can request that feature to http://feature.astaro.com/forums/143211-sophos-web-security. Sophos will evaluate it and will update you if it will be approved. Let me know if you have further concerns or if can now close our case. Thank you."

    Using the extension to determine the file type, wow that could be messy. Hope there's some heuristics in there somewhere.

  15. localzuk

    Hmm

    Surely things like .bat should be blocked on the endpoint anyway, not just blocking it from being downloaded.

    I'm not particularly aware of any harm that a batch file can do if the users have restricted access rights on their clients anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm

      It could do plenty of harm. How about sending all your confidential documents to a remote server, or scrambling or deleting all your documents? There are loads of things that a bat file could do that could cause harm and require a recovery from backup this doesn't include escalation of privileges that it could perform by scanning for vulnerable applications on your system.

      1. localzuk

        Re: Hmm

        Note - I stated that .bat files can't do any harm if the right permissions are in place on the client side... So, yeah, still don't see how a batch file could cause damage if they're restricted from running on the client.

    2. JimmyPage Silver badge
      Stop

      Re: Hmm

      IIRC NT DOS has quite a rich set of features that can be used in BAT files. Certainly it's possible to work a directory tree of files generated by DIR, and have some pretty nifty IF/THEN paths through a script.

      1. stephanh Silver badge

        Re: Hmm

        As far as I can see, a .BAT file can actually do anything an .EXE can do, because it can just write one out and then run it.

        echo "binary gibberish representing a malicious.EXE" > OWNME.EXE

        OWNME

        So complete security fail IMHO.

        1. captain veg

          Re: Hmm

          > echo "binary gibberish representing a malicious.EXE" > OWNME.EXE

          @echo off

          echo A > hello.asm

          echo MOV AH,9 >> hello.asm

          echo MOV DX,108 >> hello.asm

          echo INT 21 >> hello.asm

          echo RET >> hello.asm

          echo DB 'HELLO WORLD$' >> hello.asm

          echo. >> hello.asm

          echo R CX >> hello.asm

          echo 14 >> hello.asm

          echo N HELLO.COM >> hello.asm

          echo W >> hello.asm

          echo Q >> hello.asm

          debug < hello.asm

          cls

          hello.com

          echo.

          pause

          -A.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hmm

            @Captain Veg - This is awesome! Never did any assembly and am easily impressed, upvoted anywho.

          2. JoeF

            Re: Hmm

            C:\>debug

            'debug' is not recognized as an internal or external command,

            operable program or batch file.

            Windows 7.

            Relying on executing debug commands is not always going to work.

            1. DaLo

              Re: Hmm

              It's still in 32bit Win 7 just not 64bit.

          3. John PM Chappell

            Re: Hmm

            Impressed as I am ... you're not going to get 64 bit Windows to run a 16 bit exectuable (.com) ;)

  16. Bodge99

    With idiots such as these still around.. be very afraid for the future.

    When I see stuff like this, I say to myself "is it me??".. Then I come to the conclusion "No, it really isn't me!!"

  17. Wolfclaw Silver badge

    So in otherwords, Sophos cocked up big style, refused to accept they cockedup until they started getting pinged by reporters and then back tracked and added it. Sounds just like any other tech company, Government department or dweeb of a tory PM !

    1. NotBob

      Don't forget the spin, too...

      "We didn't screw up, and it works as it should, but we're going to fix it anyway because you asked so nicely."

  18. Aodhhan Bronze badge

    Sophos is the new Oracle?

    The old Oracle statement... we'll get to it when we want to (or when they can contract in a good developer to fix it). Until then, consider this a feature.

  19. jzl

    Indian offshoring

    That response email has all the hallmarks of a first tier Indian support centre response.

    1. Notas Badoff
      FAIL

      Re: Indian offshoring

      Consider first that a large proportion of questions on answers.microsoft.com are from "regular folk". You know, the "Where's the anykey?" crowd.

      Now reflect on the situation that in about half of those 'discussions' a response by Microsoft's people has been replied to with the equivalent of "What drugs are you people on?" or "Don't you know your own products?" or "Can't you read/understand/write/grok English?" That is, the 'idiots' are questioning the intelligence of Microsoft's people, and rightly so.

      Microsoft has done itself a disservice by moving its customer contact outlet to India. But... that is just another permutation of "anybody could do that job!".

  20. cd

    Real reason more mundane: Commissioner Gordon may need bat files.

  21. Anonymous Coward
    Anonymous Coward

    20+ years ago, part of my job was building a mail client for PCs. I made sure that the client blocked downloading .bat attachments.

  22. John 104
    FAIL

    Reg Fail

    The extension .bat denotes a script which contains a list of commands that is executed by the command line interpreter when run.

    Thanks, Reg. Glad you pointed that out to us readers.

    Seriously, this is a tech site. If your readers don't know what a .bat file is...

    1. Reg is going down the tubes on target audience.

    2. Readers can look it up and become educated

    3. Too hard to educate yourself on this one? Go elsewhere.

    1. Francis Boyle Silver badge

      I noticed that

      Then I thought "Sometimes an article needs to be manager-compliant".

  23. GreyBeardWizard

    Astaro - Sophos

    Nice to see the Feature request has ASTARO in the link :-) - well Astaro, ahh Sorry Sophos UTM 9.x DOES have the ability to block ALL extensions... should have stayed with the ASTARO boys and girls, but these days when I ring up to place an order I'm sure I can hear terrible twos tantrums crying aka the sales department....

  24. something_or_another
    FAIL

    WCE anyone?

    When will they detect the publicly available WCE? Seriously, how long as that tool been around and it just ignores it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019