should one pull the plug in worm outbreak?

Russell Fulton r.fulton at
Wed Dec 5 23:58:04 GMT 2001

On Wed, 05 Dec 2001 08:21:39 -0800 Greg Francis <francis at> 

> We currently have around 1200 workstations on the main network so our hit
> isn't nearly as bad as what it would be for a large university.

We are going throught the same process with thousands of machines,  we 
have been at it for months, one faculty at a time.

The problem is that Antivirus software (unless it is heuristic based) 
can not help with these fast spreading worms.  We go our first 
infection at least 2 hours before NAV made the updates available. Since 
this one had a simple subject line we were able to block it using 
Sendmail configs, but not fast enough to stop it hitting several large 
internal lists :(

I'll ask another question.  Should one pull the plug on the your 
mailservers until you can control the spread (either by adhoc filtering 
or AV products) or should one try and ride the storm?

In the past we have opted to ride the storm on the basis that without 
emial fighting the problem is actually much more difficult in a 
distributed enviroment like ours.  There are contrary views being 
expressed here and I would like to hear of others experiences.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list