Logo
TLCTC
Blog / Research & Insights

GovCERT-CH Blocked Filetypes: TLCTC Analysis & Restructured List

A strategic analysis of the GovCERT-CH blocked file extensions list through the lens of the TLCTC framework's three-tier model.

BK
Bernhard Kreinz
Loading read time...
Executive Summary

This document analyzes the GovCERT-CH blocked file extensions list through the lens of the TLCTC framework's three-tier model. The original list conflates fundamentally different threat mechanisms—a problem that leads to false confidence and misallocated control strategies.

Key Finding

The GovCERT-CH list mixes:

  • Tier 1 (pure #7): Native executables that ARE the threat
  • Tier 2 (#1→#7): Application-mediated formats that ENABLE the threat
  • Tier 3 (#2/#3→#7): Data formats that require parser BUGS to become threats

This conflation matters because each tier requires different control strategies.

The GovCERT-CH Original Categories

The original list uses these categories:

  • Archive files
  • Code files
  • Executables
  • Media files
  • Microsoft Office / OpenDocument
  • Other

TLCTC Critique: These categories are based on format function rather than threat mechanism. A more principled approach classifies by how the format achieves execution—which directly determines the appropriate control strategy.

TLCTC Three-Tier Restructured List

TIER 1: Native/Direct FEC (pure #7)

Threat Mechanism: The OS loader or runtime directly executes the file. The file IS the Foreign Executable Content. No intermediate application processing required.
Control Strategy: Block execution (application allowlisting, SmartScreen, email gateway blocking). The control question is: "Should this code be allowed to run?"
Attack Velocity: Fastest—execution occurs immediately upon invocation.

Windows PE Executables

Extension Description GovCERT Comment
.exeWindows executableCore FEC—must block
.dllDynamic link libraryCan be loaded/executed via rundll32, regsvr32
.comDOS command fileLegacy but still functional
.scrScreensaver (executable)Actually a .exe with different extension
.sysSystem driver✓ (implicit)Kernel-level execution—MISSING from list
.ocxOLE Control ExtensionActiveX controls—executable COM objects
.cplControl Panel extension✓ (via other lists)Executable DLL—MISSING from GovCERT
.drvDevice driverMISSING—add to blocklist
.efiEFI bootloaderMISSING—firmware-level execution

Windows Script Files (Direct Interpreter Execution)

ExtensionDescriptionGovCERTComment
.batBatch filecmd.exe executes directly
.cmdWindows NT batchcmd.exe executes directly
.ps1PowerShell scriptPowerShell engine executes
.ps1xmlPowerShell XML scriptPowerShell format/type data
.ps2PowerShell v2 scriptLegacy PowerShell
.ps2xmlPowerShell v2 XMLLegacy format
.psc1PowerShell console fileConfigures and launches PowerShell
.psc2PowerShell v2 consoleLegacy console file
.vbsVBScriptwscript.exe/cscript.exe executes
.vbeEncoded VBScriptObfuscated VBS—same execution path
.jsJavaScript (Windows)JScript via wscript.exe
.jseEncoded JScriptObfuscated JS—same execution path
.wsWindows ScriptWindows Script Host file
.wscWindows Script ComponentCOM scriptlet
.wsfWindows Script FileMulti-language script container
.wshWindows Script Host settingsConfigures script execution
.mscMicrosoft Management Console✓ (via other)MISSING from GovCERT
.sctWindows Scriptlet✓ (via other)MISSING from GovCERT—COM scriptlet
.psd1PowerShell data fileMISSING—module manifest
.psm1PowerShell moduleMISSING—importable module

Unix/Cross-Platform Scripts

ExtensionDescriptionGovCERTComment
.shShell scriptbash/sh executes directly
.bashBash script✓ (implicit)Shell execution
.cshC Shell scriptcsh interpreter
.kshKorn Shell scriptksh interpreter
.plPerl scriptPerl interpreter
.pyPython scriptMISSING—critical omission
.pycCompiled PythonMISSING—bytecode execution
.pywPython (no console)MISSING—windowless Python
.rbRuby scriptMISSING—Ruby interpreter
.luaLua scriptMISSING—embedded scripting

Java/JVM & Windows Installer/Package

ExtensionDescriptionGovCERTComment
.jarJava ArchiveJVM executes bytecode
.classJava class fileCompiled Java bytecode
.jnlpJava Web StartLaunches Java applications
.warWeb application archiveMISSING—server deployment
.earEnterprise archiveMISSING—J2EE deployment
.msiWindows Installermsiexec.exe processes—executes
.mspWindows Installer PatchPatch package with execution
.mstMSI TransformModifies MSI behavior
.msixModern Windows packageMISSING—modern installer
.appxWindows Store packageMISSING—UWP apps
.appxbundleApp bundleMISSING—multi-arch package

Shortcut/Reference Files (Execution Indirection)

ExtensionDescriptionGovCERTComment
.lnkWindows shortcutCritical—can execute anything
.urlInternet shortcutCan trigger protocol handlers
.pifProgram Information FileDOS shortcut—legacy but dangerous
.scfShell Command File✓ (via other)MISSING—Explorer command file
.infSetup Information✓ (via other)MISSING—can execute via right-click
.applicationClickOnce manifestMISSING—.NET deployment
.appref-msClickOnce referenceMISSING—app reference
.settingcontent-msSettings shortcutMISSING—CVE-2018-8414 vector

Platform-Specific Executables

ExtensionDescriptionGovCERTComment
.appmacOS application bundlemacOS executable package
.dmgmacOS disk imageContains mountable filesystem
.pkgmacOS installerMISSING—macOS installer
.debDebian packageLinux package with scripts
.rpmRed Hat packageLinux package with scripts
.snapSnap packageMISSING—Linux snap
.flatpakFlatpak packageMISSING—Linux flatpak
.apkAndroid packageMISSING—mobile execution
.ipaiOS applicationMISSING—iOS package

TIER 2: Application-Mediated FEC (#1 → #7)

Threat Mechanism: An application processes the file through its designed functionality (#1 Abuse of Functions), which then enables embedded code execution (#7). The file ENABLES execution through a legitimate feature.
Control Strategy: Disable the enabling feature (macros, scripting, active content). Multiple intervention points exist in the chain. The control question is: "Should this feature be enabled for this content?"
Attack Velocity: Intermediate—requires application to process file, then execute embedded content.

Microsoft Office (Macro-Enabled) & Legacy Formats

ExtensionDescriptionGovCERTComment
.docmWord macro-enabledVBA execution via macro engine
.xlsmExcel macro-enabledVBA + Excel-specific threats (XLM)
.pptmPowerPoint macro-enabledVBA execution
.potmPowerPoint macro templateTemplate with macros
.dotmWord macro templateTemplate with macros
.xltmExcel macro templateTemplate with macros
.xlsbExcel binary workbookMISSING—binary format can contain macros
.xlamExcel add-inMISSING—auto-loading macro add-in
.ppamPowerPoint add-inMISSING—auto-loading add-in
.sldmPowerPoint macro slideMISSING—single slide with macros
.xlaExcel 97-2003 add-inMISSING—legacy add-in
.xllExcel DLL add-inCRITICAL MISSING—native code add-in
.docWord 97-2003PartialCan contain macros—often allowed
.xlsExcel 97-2003PartialCan contain macros + XLM
.pptPowerPoint 97-2003PartialCan contain macros
.rtfRich Text FormatCAUTION—OLE embedding, CVE-2017-0199
.slkSymbolic Link (Excel)MISSING—SYLK macro execution
.iqyExcel Web QueryMISSING—can execute code
.prnExcel print fileMISSING—can be renamed SYLK
.difData Interchange FormatMISSING—Excel formula injection

OpenDocument, HTML, PDF & Server-Side

ExtensionDescriptionGovCERTComment
.odtOpenDocument text✓ (partial)Can contain macros
.odsOpenDocument spreadsheet✓ (partial)Can contain macros
.odpOpenDocument presentation✓ (partial)Can contain macros
.ott/ots/otpOpenDoc templatesMISSING—template with macros
.htaHTML Applicationmshta.exe processes—full system access
.mht/.mhtmlMIME HTMLSingle-file web archive with scripts
.htm/.htmlHTML filesCONTEXT-DEPENDENT—local HTML can execute JS
.chmCompiled HTML Help✓ (via other)MISSING from GovCERT—embedded scripts
.svgScalable Vector GraphicsMISSING—can contain JavaScript
.pdfPDF with JSPartialReader processes (#1) → JS executes (#7)
.fdf/.xfdfForms Data FormatMISSING—can trigger PDF actions
.xdpXML Data PackageAdobe form container
.asp/.aspxActive Server PagesPartialIIS processes—server execution
.php/.jspServer scriptsMISSING—server execution

Database & Configuration Files with Execution

ExtensionDescriptionGovCERTComment
.mdbAccess database✓ (via other)MISSING—can contain VBA
.mdeCompiled AccessMISSING—compiled Access with VBA
.accdbAccess 2007+MISSING—can contain macros
.accdeCompiled Access 2007+MISSING
.adp/.adeAccess project✓ (via other)Access Data Project
.regRegistry file✓ (via other)MISSING from GovCERT—modifies system
.vb/.basVB/BASIC sourceCan be compiled/run
.wmlWireless MarkupWMLScript execution
.xbapXAML Browser App.NET browser application
.gadgetWindows GadgetMISSING—HTML/JS execution
.diagcabDiagnostic CabinetMISSING—can execute scripts

TIER 3: Data Formats Requiring Parser Exploits (#2/#3 → #7)

Threat Mechanism: No designed execution capability. Code execution requires exploiting an implementation flaw (buffer overflow, heap corruption, integer overflow, etc.) in the parser, codec, or renderer.
Control Strategy: Patch parsers, sandbox processing, use memory-safe implementations. The control question is: "Is my parser implementation safe?" Blocking is defense-in-depth but does NOT address the root vulnerability.
CRITICAL INSIGHT: For Tier 3, an exhaustive blocklist is impossible. ANY file format with a parser is a potential attack surface. The GovCERT list's inclusion of these formats creates false confidence if blocking is seen as the primary control.

Image, Video, Audio & Documents

ExtensionDescriptionGovCERTComment
.jpg/.jpegJPEG imageParser exploits (CVE-2004-0200)
.pngPNG imagePartiallibpng vulnerabilities
.gif/.bmpGIF/BitmapParser exploits
.webpWebP imageCVE-2023-4863—critical parser bug
.tiffTIFF imageComplex format—many parser bugs
.svgSVGDUAL: can contain JS (Tier 2) + parser bugs
.emf/.wmfMetafilesMISSING—historic exploit vector
.heic/.avifHEIC/AVIFModern formats—parser bugs exist
.mp4/.aviVideoCodec exploits
.mkv/.webmVideoContainer/Codec exploits
.docx/.xlsxOffice (Non-Macro)Parser bugs (ZIP, XML, OLE)
.pdfPDF (no JS)PartialParser exploits without JS

Fonts, Archives & Serialization

ExtensionDescriptionGovCERTComment
.ttf/.otfFontsMISSING—font rasterizer exploits
.woffWeb fontsMISSING—browser font parsing
.zip/.rar/.7zArchivesParser exploits + can contain FEC
.tar/.gzUnix ArchivesParser/Decompression bugs
.xzXZ compressedAlso backdoor vector (XZ Utils)
.iso/.img/.vhdDisk ImagesFilesystem parser bugs
.zst/.lz4Modern CompressionMISSING—modern compression
.jsonJSON dataParser bugs + deserialization
.yaml/.ymlYAML dataDANGEROUS—deserialization exploits
.pickle/.pklPython pickleCRITICAL—arbitrary code execution

Missing File Types Summary

Critical Additions for Tier 1 (Must Block)

  • PowerShell modules: .psd1, .psm1
  • Python (increasingly common): .py, .pyc, .pyw, .pyz, .pyzw
  • Modern Windows/Deployment: .msix, .appx, .appxbundle, .application, .appref-ms, .settingcontent-ms
  • System & Script: .sys, .drv, .cpl, .efi, .msc, .sct, .scf, .inf
  • Mobile: .apk, .ipa

Critical Additions for Tier 2 (Should Block/Disable Feature)

  • Excel specifics: .xlsb, .xlam, .xla, .xll, .slk, .iqy, .dif
  • Access databases: .accdb, .accde, .mdb, .mde
  • Execution capable: .chm, .svg, .reg, .gadget, .diagcab
  • Server-side: .aspx, .asmx, .php, .jsp

Tier 3 Additions (Parser Vulnerability Surface)

  • Fonts: .ttf, .otf, .woff, .woff2, .eot
  • Modern Images: .webp, .heic, .heif, .avif
  • Legacy Vectors: .emf, .wmf
  • Serialization/Compression: .yaml, .yml, .pickle, .pkl, .zst, .lz4

The Fundamental Problem with the GovCERT Approach

The GovCERT-CH list, while operationally useful, exhibits several conceptual problems when analyzed through TLCTC:

  1. Conflation of Threat Mechanisms: Grouping by format category (archives, media) ignores that Tier 1 formats are dangerous BY DESIGN, Tier 2 are dangerous BY FEATURE, and Tier 3 are dangerous BY BUG.
  2. False Confidence Through Tier 3 Blocking: Blocking .jpg at the email gateway creates false confidence. Users still encounter images on websites, USB drives, etc. The real control is patching parsers (libjpeg, libpng).
  3. Incomplete Tier 1 Coverage: Missing critical FEC-capable formats like the Python ecosystem and modern Windows packages leaves gaping holes.
  4. No Contextual Differentiation: The list cannot express that .exe in a CI/CD pipeline is expected, while .exe in email is suspicious. TLCTC's boundary notation (||[context][@Source→@Target]||) enables this differentiation.

Recommended Control Strategy by Tier

For Tier 1 (Native FEC)

  • Block at email gateway — Essential
  • Application allowlisting — Prevents execution
  • SmartScreen/reputation — Warns on unknown
  • Code signing — Validates publisher

For Tier 2 (App-Mediated)

  • Disable macros by default — Breaks #1→#7
  • Protected View — Sandboxes before enabling
  • Block external macro formats
  • ASR rules — Blocks child processes

For Tier 3 (Parser Exploits)

  • Patch management — Primary control
  • Memory-safe languages — Long-term solution
  • Sandboxing — Contains exploitation
  • Extension blocking — Defense-in-depth only

Conclusion

The GovCERT-CH list is a valuable operational resource, but its effectiveness is limited by conceptual conflation. Organizations should:

  • Classify their blocklist by TLCTC tier to understand why each format is blocked.
  • Ensure complete Tier 1 coverage — these are the formats that matter most.
  • Implement Tier 2 feature controls — blocking alone is insufficient.
  • Recognize Tier 3 limitations — blocking is defense-in-depth, not the primary control.

The file extension is just a hint—the threat model is what matters.

References

  1. TLCTC V2.0 Whitepaper
  2. GovCERT-CH Blocked Filetypes: GitHub
  3. "The File Type Fallacy" — TLCTC Blog, January 2026
  4. Microsoft Common Attachment Filter
  5. Chrome Safe Browsing File Type Policies
  6. badfiles.ch aggregated data