16 April 2016

Jabber File Transfer & Which Extensions to Block

Cisco Jabber provides the ability to send files between users, either peer-to-peer or proxied via the IM&P server when Managed File Transfer feature (MFT) is configured. The MFT feature also is required when one or both users are connected using Mobile and Remote Access (MRA). It is also required for ad-hoc and persistent chat rooms to support file sharing. As an added bonus, this supporting file transfers within Jabber will likely reduce the use of email as a file transfer protocol.

The concern that immediately gets raised by customers is the risk of malware being propagated through Jabber. In addition to ensuring anti-malware software on both the sending and receiving computers, administrators can blacklist the undesirable file extensions. You define this list in jabber-config.xml, either with a text editor of your choice or by using the config generator (now hosted at www.ciscojabber.io). The  disallowed_file_transfer_types policy element is supported by all current Jabber clients: Windows, Mac, iOS and Android.

The list you specify must be semi-colon separated, without spaces, and include the period. Example:
<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
  <Policies>
    <Disallowed_File_Transfer_Types>.exe;.reg;.msi</Disallowed_File_Transfer_Types>
  </Policies>
</config>

So, which file extensions should we block? I suspect many skip the configuration - or worse, disable file transfer entirely - solely because the hurdle of determining an adequate list seems daunting. In this case, we can look to email for guidance and Microsoft provides us a good starting point with their support article Blocked attachments in Outlook. Here's that list in a readily consumable (i.e. copy and paste) list:

.ade;.adp;.app;.asp;.bas;.bat;.cer;.chm;.cmd;.com;.cpl;.crt;.csh;.der;.exe;.fxp;.gadget;.hlp;.hta;.inf;.ins;.isp;.its;.js;.jse;.ksh;.lnk;.mad;.maf;.mag;.mam;.maq;.mar;.mas;.mat;.mau;.mav;.maw;.mda;.mdb;.mde;.mdt;.mdw;.mdz;.msc;.msh;.msh1;.msh2;.mshxml;.msh1xml;.msh2xml;.msi;.msp;.mst;.ops;.pcd;.pif;.plg;.prf;.prg;.pst;.reg;.scf;.scr;.sct;.shb;.shs;.ps1;.ps1xml;.ps2;.ps2xml;.psc1;.psc2;.tmp;.url;.vb;.vbe;.vbs;.vsmacros;.vsw;.ws;.wsc;.wsf;.wsh;.xnk

Additional internet sleuthing suggested a few additions to that list:

.bin;.paf;.job;.inx;.isu;.sys;.dll;.jar;.rar;.ocx;.application;.fon;.vbscript;.action;.command;.osx;.run;.workflow;.ipa;.sysconfig;.apk

This is certainly an incomplete list but it's better than leaving the field blank and allowing everything. See one I missed? Please add it in the comments!