www.aushack.com - Australian information and network security website

home \| advisories \| code \| downloads \| robanukah \| contact

.: ZoneAlarm MailSafe File Extensions

Why you cannot rely on file extension alone (for eMail gateway filtering).
I was looking for a particular file extension the other day and came across some unusual registered file types.

ZoneAlarm Extensions

The file types would appear to be a result of the Zone Alarm MailSafe technology. I've never used it, but I assume it works something like this:

A user receives a POP3 email with an attachment.
ZoneAlarm intercepts the data and changes the file extension to a MailSafe extension.
The user attempts to open the attachment, and are warned of the dangers prior to execution.

Example MailSafe warning for extension .ZLL

So you can see where this is heading...

Say an organisation blocks "*.exe" at their mail gateway, but all their workstations have ZoneAlarm installed. Now all we need to do is send a 'funny.zl9' trojan/worm instead. Sure, the user will be warned not to open it... how many people will ignore the message and click on "Run" regardless? All you need is one person, really. I like those odds.

List of ZoneAlarm MailSafe extensions to Windows extensions:

(Yes, I painfully went though each one to determine the mappings)

z0 - jscript
z1 - vbscript
zl0 - access project extension
zl3 - batch
zl5 - nt cmd
zl6 - dos app
zl7 - cpe
zl8 - ssl sec cert
zl9 - .exe
zla - chm win help
zlb - html app hta
zlc - setup info file - .inf
zld - internet communication settings file
zle - ics again ^
zlf - jscript encoded
zlg - shortcut file
zlh - access db
zli - access mdb
zlj - mmc file
zlk - msi
zll - windows installer patch
zlm - visual test source file
zln - photo cd album
zlo - .pif shortcut
zlp - .reg
zlq - .scr
zlr - .sct windows script
zls - .shs shell scrap object
zlt - .url
zlu - vbscript encoded
zlv - vb shortcut
zlw - windows script component
zlx - windows script
zly - .wsh script host settings
zlz - .asx windows media
zm0 - visual fox pro
zm1 - access add in
zm2 - access wizard template
zm3 - outlook folder file
zm4 - PICS rule
zm5 - windows explorer command?
zm6 - shell scrap object
zm7 - .wms windows media skin
zm8 - web archive file
zm9 - .zip
zma - .rar
zmb - .dll
zmc - email file
zmd - active x
zme - .sys driver

Top of Page.