[unisog] New virus - not caught by central servers (fwd)

Todd K. Watson tkw at southwestern.edu
Tue Jul 27 03:20:55 GMT 2004

On Mon, 26 Jul 2004, Marty Hoag wrote:

> > Has anyone considered a policy such that if a virus alert is medium or 
> > higher, to shut down email flow (or, at least let it queue up at the 
> > edge) until the virus definitions for the campus' email 
> > antivirus solution has been updated?

This morning I did seriously consider letting the messages stack up on our
mail gateway until updates were released for our scanner.

>     We use McAfee software and when they rate something medium
> or higher they include an "extra.dat" (supplemental
> signatures) file immediately. 

My concern is that we've been burned the last 2 weeks by virii which have
been classified as "low risk" by the major vendors (McAfee, Symantec,
Sophos, etc).  By the time they increased the status to "medium risk" and
the new rules were released, we were already being hammered.  I think a 
more real-time release of definitions is beginning to become necessary. I 
understand the problems associated with releasing updates too often, but 
as much as we are paying for our AntiVirus licenses, I expect there to be 
a better release model than the existing one.

        Todd K. Watson
        Senior System & Network Administrator
        Southwestern University, Georgetown, TX
        tkw at southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605

More information about the unisog mailing list