[unisog] New virus - not caught by central servers (fwd)
stevev at darkwing.uoregon.edu
Tue Jul 27 16:05:05 GMT 2004
Frank Bulk writes:
> Has anyone considered a policy such that if a virus alert is medium or
> higher, to shut down email flow (or, at least let it queue up at the
> edge) until the virus definitions for the campus' email antivirus
> solution has been updated?
Everyone suffers enough for the Windows users who create the worm
problem, by having to process worm emails, backscatter from failed worm
deliveries and badly implemented antivirus products that send
notifications back to forged senders, and the other ever-increasing
wastes of Internet resources caused by Windows security stupidity.
And you're suggesting that people adopt a policy that users of
everything other than Windows should give up _our_ email connectivity
because the Windows lusers are suffering through another worm infection?
No thank you.
Rather than use what I think is the highly misguided approach of using
reactive virus filtering, we aggressively filter all the various Windows
attachment types that propagate worms, which provides a substantial
level of proactive defense. Some of the worst offenders that have
virtually no legitimate purposes (.scr, .pif) get stripped entirely from
incoming messages, and many other types that are legitimately used but
capable of progagating worms (.zips being the most common example) are
delivered with modified attachment names so Outlook can't
oh-so-helpfully open them automatically, but it's easy enough for users
to recover the data if it's not a worm payload.
We're using the Procmail Email Sanitizer
(http://www.impsec.org/email-tools/procmail-security.html) for this on
our UNIX hosts; it's highly configurable and easily customizable.
However, unlike a virus-scanner, the interval between configuration
tweaks is often months instead of days since it eliminates whole classes
of potential worm threats rather than just the ones whose signatures are
More information about the unisog