Outlook Attachments Blocked or Restricted

*** How to Customize what is Blocked ***

*** blockage/restriction is done by the Microsoft Outlook Security Patch ***

This affects nearly everyone.  Microsoft has issued a security update for Outlook, and most users have installed it.  With all the viruses going around these days, they had to block certain attachments and restrict access to others.  For the most part, executable file types are blocked.  

But many people want to decide for themselves what gets blocked, allow all file types to come in, and delete attachments that they, themselves deem unsafe.  This page describes how you can customize the attachment handling.

Once the MS Security update is applied - a list of unsafe file types (Level 1 file types) is loaded, and incoming emails with attached files are pre-screened against the list.  The attachment's file name extension (the three characters after the period) is checked against the list's unsafe files types, such as exe, com, etc.  Depending on it's extension, there are three possible outcomes:

By default, Outlook classifies a number of file type extensions as Level 1 and blocks files with those extensions from being received by the users. There are no Level 2 file types by default, but you can create a list of Level 2 file types.

How to tell if you have the Security Update

To find out whether your copy of Outlook includes the security update, you can check the version number with the Help | About Microsoft Outlook command and compare it with this chart, which lists the versions with the security update: 

Outlook 97 Not applicable, since the security update is not available for Outlook 97
Outlook 98 Version 8.5.7806 and later
Outlook 2000 Version 9.0.0.4201 and later
Outlook 2002 All versions (10.0.x.x)
Outlook 2003 All versions (11.0.x.x)

The Three Security Categories

Microsoft categorized the security of the attachments as follows.  File types are defined by their extensions, and Microsoft made lists of file types and their security level.  There is category without security (Other), and there are 2 security levels : 

Attachment Security Warning
WARNING!
The file may contain a virus that can be harmful to your computer. It is important to be very certain that this file is safe before you open it. You must save this file to disk before it can be opened.
Filename:  happy.exe
Type: exe

 

The Effects of the MS Security Patch on Emails

Forwarding Emails with L1 or L2 Attachments
- all Level 1 and Level 2 attachments are removed from forwarded emails, before the email is sent !!
New Emails with Level 1 Attachments - users sending a Level 1 attachment will see a warning only - the attachment is sent !!  It is the receiver that has the attachment blocked - not the sender.  BUT if the receiver does not have the MS security patch installed, the attachment is not blocked. 
New Emails with Level 2 Attachments - users sending a Level 2 attachment will see no warning and the attachment is sent !!  The receiver will get the attachment, and it will not be blocked - but they will have to save it to disk before opening.   BUT if the receiver does not have the MS security patch installed, the attachment is will open normally from within Outlook. 

*** there are ways to open these "unsafe" files.

*** For a list of all Level 1 file types, scroll to the bottom of this page.

Editing the Level 1 List and the Level 2 List

The lists :

These two lists can be edited by you, through the registry, as follows:

List Description How to Edit the List
(more detailed instructions follow - below this table)

List   

Category Protective Action Taken by Outlook on Attachment

Desired Action (Add or Remove Entries)   

Registry Change you need to Make

Level 1   

High Risk
(Unsafe)
Blocked

Add

add the extension to the Level1Add key

Level 1   

High Risk
(Unsafe)
Blocked

Remove

add the extension to the Level1Remove key

Level 2   

Medium Risk Restricted (save to disk before opening)

Add1

add the extension to the Level1Remove key   

Level 2   

Medium Risk Restricted (save to disk before opening)

Remove2

remove the extension from the Level1Remove key

Other Low Risk None Add3 remove the extension from both L1 and L2 lists
Other Low Risk None Remove3 add the extension to either the L1 or L2 list - the Other list is all file types NOT on the L1 or L2 lists

1  - ALL file types listed in this key are added to the Level 2 list.  If you add a file type to the Level1Remove key that is on the default Level 1 list, it will be demoted to Level 2 (demoted means removed from L1 and added to L2).  If you add a file type to the Level1Remove key that is not on the default Level 1 list, it will be added to the Level 2 list.

2  -  the list of Level 2 file types is simply the entries that you have manually added to the Level1Remove key - so to remove a file type from the L:evel 2 list, you simply remove it from the Level1Remove key

3  -  the Other list is all file types NOT on the L1 or L2 lists

Customizing Outlook's Handling of Attachments

Add Level 1 entries  (have Outlook block them)

*** this adds more file types to the default Level 1 list.  Normally, only an administrator would want to do this

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following key in the registry:

    Outlook 2000:  HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security
    Outlook 2002:  HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
    Outlook 2003:  HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

    On the Edit menu, point to New, and then click String Value.

  3. Type Level1Add, and then press ENTER.
  4. On the Edit menu, click Modify.
  5. Type the extension of the file type that you want to block.
      for example:   .doc
    NOTE: 
    to specify multiple file types, use the following format exactly:   .doc;.xls; etc    
    Make sure all entries to the Level1Add key are not already on the Microsoft assigned Level 1 File extensions (see list below) !! 

 

Remove Level 1 Entries (stop Outlook from blocking those Attachments)

Caution:  unblocking attachments is fine, so long as you know which ones you can safely open.  Otherwise, leave them blocked !!

Demotion - if you remove a file type from the Level 1 list (by adding it to the Level1Remove key) it is demoted (security level changed from L1 to L2 - so it is added to the Level 2 list). 

Accidentally Adding "Other" file types to the Level1Remove key -  sometimes users go into the registry and add every file type that they want to be "allowed" to the Level1Remove key.  This can cause problems !!  Make sure that you only add those extensions which are on the default Level 1 list !!  Otherwise they will automatically become Level 2, and will be restricted.  To make sure this does not happen to you - check the list of Level 1 file types below, before you edit the Level1Remove key.  

Example - this happened to me actually.  I added several file types to the Level1Remove key to make sure that they were not blocked.  I added three types:  .exe, .com., and .doc  -  However,  .doc was not on either the default Level 1 or the Level 2 lists to begin with !!  So by adding it to the Level1Remove key - I inadvertently added it to the Level 2 list !!!  At that point, all received emails with .doc attachments started requiring me to "Save to Disk" before opening the file - which is a hassle, especially if you receive numerous Word documents.  To fix the problem that I gave myself - I removed the .doc entry from the Level1Remove key.  This sent it back to "Other" status, and all was well.

The Level 1 Removal Process

First you must check your registry to see if it contains the Outlook "security" key.  Quit Outlook 2000 if it is running - then click Start/Run . .  type in:  regedit  and then click OK.  Now see if the following key exists:

If the key exists - skip to step 6.  If the key path does not exist, execute all steps, starting at step 1:

  1. locate and then select the following registry key:  HKEY_CURRENT_USER\Software\Microsoft

  2. Click the Edit menu, click New, and then click Key.  Type Office, and then press the ENTER key.

  3. Click the Edit menu, click New, and then click Key.  Type 9.0, 10.0, or 11.0 (depending on your version of Outlook - see above) and then press the ENTER key.

  4. Click the Edit menu, click New, and then click Key.  Type Outlook, and then press the ENTER key.

  5. Click the Edit menu, click New, and then click Key.  Type Security, and then press the ENTER key.

  6. Make sure the "Security" folder is selected - then Click the Edit menu, click New, and then click String Value.

  7. Type the following name for the new value:  Level1Remove <Enter>

  8. Right-click on the new string value name (Level1Remove), and then click left-click on "Modify".

  9. Type the extension of the file type that you want to allow access to.
      for example:   .exe
    NOTE: 
    to specify multiple file types, use the following format exactly:   .exe;.com; etc    
    Make sure all entries to the Level1Remove key are Microsoft assigned Level 1 File extensions (see list below) !!  Otherwise they will become Level 2 file types.

  10. When you are finished, click OK, exit the Registry Editor, and restart your computer.

  11. DONE !!  Now the next time you start Outlook, the attachments whose file types are now specified in the Windows Registry - are accessible and you can open them by double-clicking their icon in the email.

 

How to Open Blocked Level 1 Attachments

If you have already received a message with a Level 1 attachment that you are sure is safe, you can use Outlook Express to import the message and gain access to the attachment:
  1. In Outlook, click New Folder on the File menu.
  2. Type a name for the folder, such as attach, and then click OK to create the folder.
  3. Move the message with the Level 1 attachment to the folder that you just created.
  4. Start Outlook Express. If necessary, close the setup dialog boxes because you do not need to create a mail account in Outlook Express to use the import feature.
  5. In Outlook Express, point to Import on the File menu, and then click Messages.
  6. Click Microsoft Outlook in the Select an e-mail program to import from box, and then click Next.
  7. In the Select Folders dialog box, click Selected folders, and then click the folder that you created in step 1.
  8. Click Finish to import the message.
You now have a folder in Outlook Express with the name that you chose for the folder in step 2, and the message with the attachment that you want to open is inside that folder. You can open the message and use the Outlook Express attachment commands to access the attachment:
  1. Open the message in Outlook Express.
  2. On the File menu, click Save Attachments.
  3. Click the attachments that you want to save in the Attachments To Be Saved box, and then click Browse.
  4. In the Browse for Folder dialog box, click the folder in which you want to save the attachments, and then click OK.

How to send Level 1 Attachments

To access Level 1 attachments, the sender and receiver must work together to perform either of the following procedures:

Add/Remove Level 2 file types

There are no Level 2 file types by default, but the list of Level 2 file types is in the Level1Remove key.  

  1. the extension was on the default Level 1 list but was demoted by you to Level 2 - you can remove it from the Level 2 list by removing the extension from the Level1Remove key.  BUT realize that it will then be blocked completely because it will revert to Level 1 !!!
  2. the extension is NOT on the default Level 1 list but was added by you to the Level 2 list - you can remove it from the Level 2 list by removing the extension from the Level1Remove key.  The file type will then revert to "Other" and will be completely allowed 

NOTE - If you are an Exchange Administrator, you can add or remove attachment types from the list of Level 2 file types through the Outlook Security Settings tab of the Outlook Security form. 


The Default Level 1 Attachment File-Types List

*** when an email is received with a Level 1 file attached - the attachment is there, but invisible to Outlook

 Extension      Description

.ade   

Microsoft Access project extension 

.adp   

Microsoft Access project 

.app   

Microsoft Visual FoxPro application (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3) 

.asx   

Windows Media Audio or Video shortcut (blocked only in Outlook 2002 builds earlier than 10.0.3005.x) 

.bas   

Visual Basic class module 

.bat   

Batch file 

.cer   

(blocked only in Outlook 2003 and later) 

.chm   

Compiled HTML Help file 

.cmd   

Windows NT Command script 

.com   

MS-DOS program 

.cpl   

Control Panel extension 

.crt   

Security certificate 

.csh   

KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later) 

.exe   

Program 

.fxp   

Microsoft Visual FoxPro compiled program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later) 

.hlp   

Help file 

.hta   

HTML program 

.inf   

Setup Information 

.ins   

Internet Naming Service 

.isp   

Internet Communication settings 

.js   

JScript Script file 

.jse   

Jscript Encoded Script file 

.ksh   

KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later) 

.lnk   

Shortcut 

.mda   

Microsoft Access add-in program (blocked only in Outlook 2002 and a patched version of Outlook 2000) 

.mdb   

Microsoft Access program 

.mdt   

Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later) 

.mdw   

Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later) 

.mde   

Microsoft Access MDE database 

.mdz   

Microsoft Access wizard program (blocked only in Outlook 2002 and a patched version of Outlook 2000) 

.msc   

Microsoft Common Console document 

.msi   

Windows Installer package 

.msp   

Windows Installer patch 

.mst   

Visual Test source files 

.ops   

Office XP settings (blocked only in Outlook 2002 SP-1 and and Outlook 2000 SP-3 later) 

.pcd   

Photo CD image 

.pif   

Shortcut to MS-DOS program 

.prf   

Microsoft Outlook profile settings (blocked only in Outlook 2002) 

.prg   

Microsoft Visual FoxPro program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3) 

.pst   

Microsoft Outlook Personal Folders file (blocked only in Outlook 2000 SP-3) 

.reg   

Registration entries 

.scf   

Windows Explorer command (blocked only in Outlook 2002) 

.scr   

Screen saver 

.sct   

Windows Script Component 

.shb   

Shell Scrap Object 

.shs   

Shell Scrap Object 

.url   

Internet shortcut 

.vb   

VBScript file 

.vbe   

VBScript encoded script file 

.vbs   

Visual Basic Script file 

.wsc   

Windows Script Component 

.wsf   

Windows Script file 

.wsh   

Windows Script Host Settings file