[unisog] New virus - not caught by central servers (fwd)

Joseph Brennan brennan at columbia.edu
Wed Jul 28 14:41:48 GMT 2004


> For those who subscribe we reject all the usual executable files but still
> accept zips which we scan with ClamAV. We get caught (a bit) on 0-day
> problems and I've been arguing that we ought to block zips as well... and
> stop worrying about the AV filter on incoming mail.
>
> Some people claim that if you block zips then they can't get their work
> done. Apparently people at Columbia do get their work done.
>
> How has your user community accomodated your e-mail security filtering?
> Ie. when they really need to send a zip (or exe, etc.) how do they do it?



It's been accepted amazingly well.  The zip blockade was done as a
desperate temporary measure last year but there has been no pressure
to change it.  I was surprised.

My feeling was and is that we should do what you said, accept zip
files and route them, only, through a virus checker.  I think I'd
want to make that a separate host so as to isolate delays when a
new virus starts bombarding us with zip files.  That host would be
rather visibly the cost of handling zip files.  It still might happen.
We'd probably put a warning in the message even if it passes the
zip check.

We allow people to rename files to end .doc and send them.  Any
executable will pass that way.  That is the hole we chose to open.
Some virus will attempt the same sooner or later: save this file,
rename it, and then click to run it.  I would like to write off
some of the social engineering as the recipient's fault but their
infected PCs affect our network so we will have to take action if
and when this happens.  There is no end to it.


Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York






More information about the unisog mailing list