The Channel logo


By | Alexander J Martin 9th June 2016 08:02

Sophos U-turns on lack of .bat file blocking after El Reg intervenes

Infosec bod reckons firm 'misunderstood' the issue

Sophos' WS1000 web appliance not only fails to include batch files in its download file type block list, but said it would only include the ability to block them as a feature.

WS1000 is an enterprise-targeted secure appliance and intends to protect "every user, on every device, everywhere they go" by prohibiting particular end-user actions, such as downloading dangerous file types.

Unfortunately, during a recent penetration test, Simon Vaughan of SafeHackUK noticed that a client using the WS1000 appliance was able to download .bat files, an old Windows file extension but one which is still widely used, according to Vaughan.

The extension .bat denotes a script which contains a list of commands that is executed by the command line interpreter when run.

An executable file type, which could trivially be malicious and which Sophos' web appliance intends to protect users from downloading – and yet .bat files are not included in the company's download file type list.

Upon informing the company of this vulnerability, Vaughan received the following response, which The Register reproduces verbatim:

Upon further checking, .bat file is not included in the download file type list. For that concern, you can request that feature to Sophos will evaluate it and will update you if it will be approved. Let me know if you have further concerns or if can now close our case. Thank you.

As the company has decided to pursue the feature route with the patch, Vaughan has submitted it to Sophos' features forum, where non-members may vote for the "urgent security fix".

Talking to The Register, Vaughan said: "I think they misunderstood what I was raising with them, is the nicest way I could put it, this is a security hole, it's the same as blocking .exe files."

The Register brought the issue to Sophos' attention and was told by a company rep:

“Sophos Web Appliance can protect customers against threats contained in .bat files, as these files are routinely scanned by SWA. It is correct that the SWA does not currently offer the ability for admins to set a policy to block .bat files. This is a feature we will add as a result of this report".

"We would like to reassure Sophos Web Appliance customers that the absence of the ability to block .bat files does not represent a software vulnerability in the SWA code but it is an ability we will add to improve the filtering policy options for our customers." ®

comment icon Read 78 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe