[unisog] New virus - not caught by central servers (fwd)

Russell Fulton r.fulton at auckland.ac.nz
Tue Jul 27 03:00:19 GMT 2004

On Tue, 2004-07-27 at 12:04, Frank Bulk wrote:
> Has anyone considered a policy such that if a virus alert is medium or
> higher, to shut down email flow (or, at least let it queue up at the
> edge) until the virus definitions for the campus' email
> antivirus solution has been updated?

We are quarantining all mail with attachments that contain files that
are potentially executable but which do not trigger alerts with current
AV defs.  These files are rescanned every hour and any that test +ve are
deleted after a few days the files are deleted.

Users get email telling them that the mail has been blocked and giving
them the message-id of the original message and information about the
message.  They can use this (msg_id) to get the file out of quarantine
if they are sure that it is something that they are expecting.

Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

More information about the unisog mailing list