Extensions...which to scan on access?

It appears that many if not most A/V firms suggest that all file extensions be scanned to ensure thorough security. While I agree that this makes sense for an on demand scan, many products (F-Secure comes to mind) can noticeably slow down even a relatively powerful machine if all extensions are scanned on access. So, this leads me to ask if anyone has what they feel is a proper list of extensions that should be used for on access scanning.

 

How about Outlook default file filter block: http://support.microsoft.com/kb/262631

 

I'm using the ones supplied by default by NOD32, plus any of the additional ones noted on the link provided by Meneer (thanks!). Here is the list I have so far:

Code:

ade          dll          ksh          ov?          swf
adp          doc          lnk          pcd          sys
app          dot          md?          pdf          the
asp          elf          mdb          php          theme
bas          eml          mde          pif          url
bat          exe          mdt          pot          vb
cgi          fxp          mdw          pp?          vbe
chm          hlp          mpp          prc          vbs
cla          hta          mpt          prg          vsd
class        htm          msc          reg          vxd
cmd          html         msi          rtf          wsc
com          htt          mso          scr          wsf
cpl          inf          msp          sct          wsh
crt          ini          mst          sh           xl?
csc          ins          nws          shb          {*
csh          js           ocx          shs
css          jse          ops          src

I hope the table doesn't wrap improperly...

 

I'm scanning everything. If people begin to only protect against certain files, virus creators will only try and make the viruses in a different format.

Jimbob

 

He's right guys. I've seen extensionless infected files and files which come in filetypes which are ignored by my eScan by default (CAB, JAR, LHA etc.)

 

Part of me definitely agrees, but part of me disagrees as well. I can see both sides.

Really the virus writers aren't in control of this situation, they have to take advantage of whatever paths of execution exist on the machine. That is, the OS itself or some application has to either load the executable or parse the executable scripts or macros. So really there is only a finite number of avenues of execution on a machine at any given time. It's not like virus writers can just call their creation *.xyz and get it to infect your machine (not, that is, unless they can get you to rename it to some other extension that will be executed).

The problem, though, is that you never know when Microsoft or some 3rd party developer might add macro parsing or script parsing to their application which can then be used maliciously. And, so, keeping up with all of these newly created avenues of execution is a daunting task. A task most people will not wish to pursue, and probably rightly so. I definitely respect the decision to just scan everything as a result.

However, I'm willing to take the calculated risk and just scan the above extensions on a resident basis and reserve the "everything" scan for my on-demand scanning. That way, my resident scanner won't scan things like .wma, .mp3, or .m4a. I don't want it trying to scan my music files, it will just slow down Media Player and iTunes. Now, if iTunes ever tries to incorporate some whacky script execution scheme in their file formats... I'm screwed.

[Edit: As far as the archives, to the best of my knowledge, they always have to be unpacked before anything could execute as result. So the resident scanner should always pick up whenever cab, zip, rar, etc. has malware that you are about to execute. Now, if you just download the archive and store it on your drive for future access, definitely some malware could be hiding in there... but I will catch that later during my exhaustive, all-options-set on-demand scans. That's just the way I do things. But I respect doing it the other way as well if you are willing to live with the slightly extra overhead.]