should one pull the plug in worm outbreak?
r.fulton at auckland.ac.nz
Wed Dec 5 23:58:04 GMT 2001
On Wed, 05 Dec 2001 08:21:39 -0800 Greg Francis <francis at gonzaga.edu>
> We currently have around 1200 workstations on the main network so our hit
> isn't nearly as bad as what it would be for a large university.
We are going throught the same process with thousands of machines, we
have been at it for months, one faculty at a time.
The problem is that Antivirus software (unless it is heuristic based)
can not help with these fast spreading worms. We go our first
infection at least 2 hours before NAV made the updates available. Since
this one had a simple subject line we were able to block it using
Sendmail configs, but not fast enough to stop it hitting several large
internal lists :(
I'll ask another question. Should one pull the plug on the your
mailservers until you can control the spread (either by adhoc filtering
or AV products) or should one try and ride the storm?
In the past we have opted to ride the storm on the basis that without
emial fighting the problem is actually much more difficult in a
distributed enviroment like ours. There are contrary views being
expressed here and I would like to hear of others experiences.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the unisog