[unisog] New virus - not caught by central servers (fwd)

PaulFM paulfm at me.umn.edu
Tue Jul 27 13:40:42 GMT 2004

Virus definitions will ALWAYS be behind by at least a day.

Stopping viruses with virus definitions is like stopping the common cold 
(hundreds of different virii) with vaccines targeted at each known virus 
which causes colds.  There will always be new ones you have to vaccinate against.

The load on mail servers will increase with each new virus as there are more 
signatures to look for (that's why viruses that don't seem to be in 
circulation anymore are removed from the signature files).

Virus scanning is a helpful ADDITION to preventing viruses but should NOT be 
depended on as your primary method of stopping them.  You should also block 
certain types of attachments, not let your users run as administrators when 
they read mail and browse the Internet.  And secure your Windows machines so 
they can contain a virus infection to only the user that gets it.

I have noticed a few incidents in the last 2 years of our locked down Windows 
machines actually resisting permanent infection by a virus.  One, the virus 
was running on the machine and was gone when the user logged out (it was one 
of those zip files with the password - the user actually downloaded expanded 
and ran the virus).  The others were all infected web pages that changed the 
user's default page in Internet Explorer - they logged out and logged in and 
it was fixed (we discourage IE in favor of Mozilla and I force a bunch of 
settings on IE - including home page - each time a user logs in).   In the 
worst case I have had to delete the ntuser.dat file for the user (not to stop 
the virus, but to make everything work again).

Todd K. Watson wrote:

> On Mon, 26 Jul 2004, Marty Hoag wrote:
>>>Has anyone considered a policy such that if a virus alert is medium or 
>>>higher, to shut down email flow (or, at least let it queue up at the 
>>>edge) until the virus definitions for the campus' email 
>>>antivirus solution has been updated?
> This morning I did seriously consider letting the messages stack up on our
> mail gateway until updates were released for our scanner.
>>    We use McAfee software and when they rate something medium
>>or higher they include an "extra.dat" (supplemental
>>signatures) file immediately. 
> My concern is that we've been burned the last 2 weeks by virii which have
> been classified as "low risk" by the major vendors (McAfee, Symantec,
> Sophos, etc).  By the time they increased the status to "medium risk" and
> the new rules were released, we were already being hammered.  I think a 
> more real-time release of definitions is beginning to become necessary. I 
> understand the problems associated with releasing updates too often, but 
> as much as we are paying for our AntiVirus licenses, I expect there to be 
> a better release model than the existing one.
> Todd
> --
>         Todd K. Watson
>         Senior System & Network Administrator
>         Southwestern University, Georgetown, TX
>         tkw at southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort               Email: paulfm at me.umn.edu
- SysAdmin -                   (Information Technology Professional)
MEnet, Rm# 152
Mechanical Engineering         Web: http://www.menet.umn.edu/~paulfm
University of Minnesota
111 Church Street
Minneapolis, MN 55455-0150

More information about the unisog mailing list