Outlook Attachments Blocked or Restricted

Outlook Attachments Blocked or Restricted

*** How to Customize what is Blocked ***

*** blockage/restriction is done by the Microsoft Outlook Security Patch ***

This affects nearly everyone. Microsoft has issued a security update for Outlook, and most users have installed it. With all the viruses going around these days, they had to block certain attachments and restrict access to others. For the most part, executable file types are blocked.

But many people want to decide for themselves what gets blocked, allow all file types to come in, and delete attachments that they, themselves deem unsafe. This page describes how you can customize the attachment handling.

Once the MS Security update is applied - a list of unsafe file types (Level 1 file types) is loaded, and incoming emails with attached files are pre-screened against the list. The attachment's file name extension (the three characters after the period) is checked against the list's unsafe files types, such as exe, com, etc. Depending on it's extension, there are three possible outcomes:

Level 1 (unsafe) - default extension list includes exe, com, etc. - the file will be completely blocked (it is there, but not shown to the user)
Level 2 (medium risk) - no default extension list, but you can create your own list - the user will be required to be save the file to disk before opening (Level 2)
Other (safe) - no default extension list is maintained, but all extensions NOT in the Level 1/Level 2 extension lists are deemed to be safe - the file is simply allowed as a regular, safe attachment (Other)

By default, Outlook classifies a number of file type extensions as Level 1 and blocks files with those extensions from being received by the users. There are no Level 2 file types by default, but you can create a list of Level 2 file types.

How to tell if you have the Security Update

To find out whether your copy of Outlook includes the security update, you can check the version number with the Help | About Microsoft Outlook command and compare it with this chart, which lists the versions with the security update:

Outlook 97	Not applicable, since the security update is not available for Outlook 97
Outlook 98	Version 8.5.7806 and later
Outlook 2000	Version 9.0.0.4201 and later
Outlook 2002	All versions (10.0.x.x)
Outlook 2003	All versions (11.0.x.x)

The Three Security Categories

Microsoft categorized the security of the attachments as follows. File types are defined by their extensions, and Microsoft made lists of file types and their security level. There is category without security (Other), and there are 2 security levels :

Other - (neither Level 1 or Level 2 - for example, zip files) - no safety issues, these files types can be freely attached to Outlook emails, and downloaded by the receiver of the email. However, you are initially prompted to either open the file directly or to save it to a disk. You can turn off future prompts for that extension if you click to clear the "Always ask before opening this type of file" check box.
Level 1 - "unsafe" - the attachment is there, but invisible to Outlook (for example, exe files) - these attachments are blocked. Systems with the MS Windows security update for Outlook 2000 and 98 or with Outlook 2002 will no longer be able to open or save Level 1 files if they are attached to an Outlook message. Again - the attachments will still be in the messages, but will be invisible to Outlook. Other programs, and even Outlook add-ins may be able to access them.
Level 2 - medium risk - these attachments must be saved to disk first, before opening. End users with Outlook 2002 or Office 2000 SP3 can demote a file type from Level 1 to Level 2. But only administrators in an Exchange Server environment can customize the Level 2 list. Below is a sample warning message that Outlook gives when a user tries to open a Level 2 attachment (in this case the attachment is aa executable file called "happy.exe"):

Attachment Security Warning
WARNING!
The file may contain a virus that can be harmful to your computer. It is important to be very certain that this file is safe before you open it. You must save this file to disk before it can be opened.
Filename: happy.exe
Type: exe

The Effects of the MS Security Patch on Emails

Forwarding Emails with L1 or L2 Attachments - all Level 1 and Level 2 attachments are removed from forwarded emails, before the email is sent !!
New Emails with Level 1 Attachments - users sending a Level 1 attachment will see a warning only - the attachment is sent !! It is the receiver that has the attachment blocked - not the sender. BUT if the receiver does not have the MS security patch installed, the attachment is not blocked.
New Emails with Level 2 Attachments - users sending a Level 2 attachment will see no warning and the attachment is sent !! The receiver will get the attachment, and it will not be blocked - but they will have to save it to disk before opening. BUT if the receiver does not have the MS security patch installed, the attachment is will open normally from within Outlook.

*** there are ways to open these "unsafe" files.

*** For a list of all Level 1 file types, scroll to the bottom of this page.

Editing the Level 1 List and the Level 2 List

The lists :

Level 1 List - there is a default Level 1 list added by the Security update and stored in your PC. This list can be easily edited by adding/removing file extensions to the two registry keys: Level1Remove and Level1Add
Level 2 List - there is NO default Level 2 list - but there is a Level 2 list, which is stored in the registry key, Level1Remove and can be easily edited by adding/removing file extensions to the key

These two lists can be edited by you, through the registry, as follows:

List Description			How to Edit the List (more detailed instructions follow - below this table)
List	Category	Protective Action Taken by Outlook on Attachment	Desired Action (Add or Remove Entries)	Registry Change you need to Make
Level 1	High Risk (Unsafe)	Blocked	Add	add the extension to the Level1Add key
Level 1	High Risk (Unsafe)	Blocked	Remove	add the extension to the Level1Remove key
Level 2	Medium Risk	Restricted (save to disk before opening)	Add¹	add the extension to the Level1Remove key
Level 2	Medium Risk	Restricted (save to disk before opening)	Remove²	remove the extension from the Level1Remove key
Other	Low Risk	None	Add³	remove the extension from both L1 and L2 lists
Other	Low Risk	None	Remove³	add the extension to either the L1 or L2 list - the Other list is all file types NOT on the L1 or L2 lists
¹ - ALL file types listed in this key are added to the Level 2 list. If you add a file type to the Level1Remove key that is on the default Level 1 list, it will be demoted to Level 2 (demoted means removed from L1 and added to L2). If you add a file type to the Level1Remove key that is not on the default Level 1 list, it will be added to the Level 2 list. ^{2 -}the list of Level 2 file types is simply the entries that you have manually added to the Level1Remove key - so to remove a file type from the L:evel 2 list, you simply remove it from the Level1Remove key ^{3 -}the Other list is all file types NOT on the L1 or L2 lists

Customizing Outlook's Handling of Attachments

Add Level 1 entries (have Outlook block them)

*** this adds more file types to the default Level 1 list. Normally, only an administrator would want to do this

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following key in the registry:
Outlook 2000: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security Outlook 2002: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security Outlook 2003: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

On the Edit menu, point to New, and then click String Value.
Type Level1Add, and then press ENTER.
On the Edit menu, click Modify.
Type the extension of the file type that you want to block.
for example: .doc
NOTE: to specify multiple file types, use the following format exactly: .doc;.xls; etc
Make sure all entries to the Level1Add key are not already on the Microsoft assigned Level 1 File extensions (see list below) !!

Remove Level 1 Entries (stop Outlook from blocking those Attachments)

Caution: unblocking attachments is fine, so long as you know which ones you can safely open. Otherwise, leave them blocked !!

Demotion - if you remove a file type from the Level 1 list (by adding it to the Level1Remove key) it is demoted (security level changed from L1 to L2 - so it is added to the Level 2 list).

Accidentally Adding "Other" file types to the Level1Remove key - sometimes users go into the registry and add every file type that they want to be "allowed" to the Level1Remove key. This can cause problems !! Make sure that you only add those extensions which are on the default Level 1 list !! Otherwise they will automatically become Level 2, and will be restricted. To make sure this does not happen to you - check the list of Level 1 file types below, before you edit the Level1Remove key.

Example - this happened to me actually. I added several file types to the Level1Remove key to make sure that they were not blocked. I added three types: .exe, .com., and .doc - However, .doc was not on either the default Level 1 or the Level 2 lists to begin with !! So by adding it to the Level1Remove key - I inadvertently added it to the Level 2 list !!! At that point, all received emails with .doc attachments started requiring me to "Save to Disk" before opening the file - which is a hassle, especially if you receive numerous Word documents. To fix the problem that I gave myself - I removed the .doc entry from the Level1Remove key. This sent it back to "Other" status, and all was well.

The Level 1 Removal Process

First you must check your registry to see if it contains the Outlook "security" key. Quit Outlook 2000 if it is running - then click Start/Run . . type in: regedit and then click OK. Now see if the following key exists:

for Outlook 2000: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security
for Outlook 2002: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
for Outlook 2003: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security

If the key exists - skip to step 6. If the key path does not exist, execute all steps, starting at step 1:

locate and then select the following registry key: HKEY_CURRENT_USER\Software\Microsoft
Click the Edit menu, click New, and then click Key. Type Office, and then press the ENTER key.
Click the Edit menu, click New, and then click Key. Type 9.0, 10.0, or 11.0 (depending on your version of Outlook - see above) and then press the ENTER key.
Click the Edit menu, click New, and then click Key. Type Outlook, and then press the ENTER key.
Click the Edit menu, click New, and then click Key. Type Security, and then press the ENTER key.
Make sure the "Security" folder is selected - then Click the Edit menu, click New, and then click String Value.
Type the following name for the new value: Level1Remove <Enter>
Right-click on the new string value name (Level1Remove), and then click left-click on "Modify".
Type the extension of the file type that you want to allow access to.
for example: .exe
NOTE: to specify multiple file types, use the following format exactly: .exe;.com; etc
Make sure all entries to the Level1Remove key are Microsoft assigned Level 1 File extensions (see list below) !! Otherwise they will become Level 2 file types.
When you are finished, click OK, exit the Registry Editor, and restart your computer.
DONE !! Now the next time you start Outlook, the attachments whose file types are now specified in the Windows Registry - are accessible and you can open them by double-clicking their icon in the email.

How to Open Blocked Level 1 Attachments

If you have already received a message with a Level 1 attachment that you are sure is safe, you can use Outlook Express to import the message and gain access to the attachment:

In Outlook, click New Folder on the File menu.
Type a name for the folder, such as attach, and then click OK to create the folder.
Move the message with the Level 1 attachment to the folder that you just created.
Start Outlook Express. If necessary, close the setup dialog boxes because you do not need to create a mail account in Outlook Express to use the import feature.
In Outlook Express, point to Import on the File menu, and then click Messages.
Click Microsoft Outlook in the Select an e-mail program to import from box, and then click Next.
In the Select Folders dialog box, click Selected folders, and then click the folder that you created in step 1.
Click Finish to import the message.

You now have a folder in Outlook Express with the name that you chose for the folder in step 2, and the message with the attachment that you want to open is inside that folder. You can open the message and use the Outlook Express attachment commands to access the attachment:

Open the message in Outlook Express.
On the File menu, click Save Attachments.
Click the attachments that you want to save in the Attachments To Be Saved box, and then click Browse.
In the Browse for Folder dialog box, click the folder in which you want to save the attachments, and then click OK.

How to send Level 1 Attachments

To access Level 1 attachments, the sender and receiver must work together to perform either of the following procedures:

zip the file before sending. Zip files are not on the Level 1 attachment list !!
Post the attachment to a network or Internet site, and then send a message that points to the attachment

Add/Remove Level 2 file types

There are no Level 2 file types by default, but the list of Level 2 file types is in the Level1Remove key.

Add Level 2 File Types - add file types to the Level1Remove key. All file types listed in that key are added to the Level 2 list, regardless of whether they were on the default Level 1 list or not !!
Remove Level 2 File Types - there are two cases here

the extension was on the default Level 1 list but was demoted by you to Level 2 - you can remove it from the Level 2 list by removing the extension from the Level1Remove key. BUT realize that it will then be blocked completely because it will revert to Level 1 !!!

the extension is NOT on the default Level 1 list but was added by you to the Level 2 list - you can remove it from the Level 2 list by removing the extension from the Level1Remove key. The file type will then revert to "Other" and will be completely allowed

NOTE - If you are an Exchange Administrator, you can add or remove attachment types from the list of Level 2 file types through the Outlook Security Settings tab of the Outlook Security form.

The Default Level 1 Attachment File-Types List

*** when an email is received with a Level 1 file attached - the attachment is there, but invisible to Outlook

Extension	Description
.ade	Microsoft Access project extension
.adp	Microsoft Access project
.app	Microsoft Visual FoxPro application (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)
.asx	Windows Media Audio or Video shortcut (blocked only in Outlook 2002 builds earlier than 10.0.3005.x)
.bas	Visual Basic class module
.bat	Batch file
.cer	(blocked only in Outlook 2003 and later)
.chm	Compiled HTML Help file
.cmd	Windows NT Command script
.com	MS-DOS program
.cpl	Control Panel extension
.crt	Security certificate
.csh	KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)
.exe	Program
.fxp	Microsoft Visual FoxPro compiled program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)
.hlp	Help file
.hta	HTML program
.inf	Setup Information
.ins	Internet Naming Service
.isp	Internet Communication settings
.js	JScript Script file
.jse	Jscript Encoded Script file
.ksh	KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)
.lnk	Shortcut
.mda	Microsoft Access add-in program (blocked only in Outlook 2002 and a patched version of Outlook 2000)
.mdb	Microsoft Access program
.mdt	Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later)
.mdw	Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later)
.mde	Microsoft Access MDE database
.mdz	Microsoft Access wizard program (blocked only in Outlook 2002 and a patched version of Outlook 2000)
.msc	Microsoft Common Console document
.msi	Windows Installer package
.msp	Windows Installer patch
.mst	Visual Test source files
.ops	Office XP settings (blocked only in Outlook 2002 SP-1 and and Outlook 2000 SP-3 later)
.pcd	Photo CD image
.pif	Shortcut to MS-DOS program
.prf	Microsoft Outlook profile settings (blocked only in Outlook 2002)
.prg	Microsoft Visual FoxPro program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)
.pst	Microsoft Outlook Personal Folders file (blocked only in Outlook 2000 SP-3)
.reg	Registration entries
.scf	Windows Explorer command (blocked only in Outlook 2002)
.scr	Screen saver
.sct	Windows Script Component
.shb	Shell Scrap Object
.shs	Shell Scrap Object
.url	Internet shortcut
.vb	VBScript file
.vbe	VBScript encoded script file
.vbs	Visual Basic Script file
.wsc	Windows Script Component
.wsf	Windows Script file
.wsh	Windows Script Host Settings file