[unisog] New virus - not caught by central servers (fwd)

Brian Reilly reillyb at georgetown.edu
Wed Jul 28 15:10:40 GMT 2004

On Wed, 28 Jul 2004, Reg Quinton wrote:

> For those who subscribe we reject all the usual executable files but still
> accept zips which we scan with ClamAV. We get caught (a bit) on 0-day
> problems and I've been arguing that we ought to block zips as well... and
> stop worrying about the AV filter on incoming mail.
> Some people claim that if you block zips then they can't get their work
> done. Apparently people at Columbia do get their work done.
> How has your user community accomodated your e-mail security filtering? Ie.
> when they really need to send a zip (or exe, etc.) how do they do it?

We block Microsoft "Type I" attachments and .ZIPs as well, with very good
success.  (Being able to say "Columbia does this too" was helpful.)  For
us, it was a combination of the productivity loss (for both users and
desktop support staff) and the need for a cost-effective solution that was
going to have the best results.  Paying $50,000+ for a solution that was
still going to leave us exposed to the 0-day stuff wasn't an ideal option.  
We also went by the numbers; based on our analysis prior to dropping
.ZIPs, a minimum of 86% of the .ZIPs we delivered were likely generated by
email-borne viruses.

We had had a small number of users complain about the .ZIP filtering, and
we're still working toward a solution that better meets there needs.  But
for the majority of our user base, I think it's worked well.  Currently,
to receive a .ZIP or "Type I" attachment, the sender must change the
extension prior to sending it.  We considered defanging, but chose not to
in the interest of better system performance.


Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
+1 202.687.2775

More information about the unisog mailing list