[unisog] New virus - not caught by central servers (fwd)

Brian Reilly reillyb at georgetown.edu
Wed Jul 28 15:10:40 GMT 2004


On Wed, 28 Jul 2004, Reg Quinton wrote:

> For those who subscribe we reject all the usual executable files but still
> accept zips which we scan with ClamAV. We get caught (a bit) on 0-day
> problems and I've been arguing that we ought to block zips as well... and
> stop worrying about the AV filter on incoming mail.
> 
> Some people claim that if you block zips then they can't get their work
> done. Apparently people at Columbia do get their work done.
> 
> How has your user community accomodated your e-mail security filtering? Ie.
> when they really need to send a zip (or exe, etc.) how do they do it?
> 

We block Microsoft "Type I" attachments and .ZIPs as well, with very good
success.  (Being able to say "Columbia does this too" was helpful.)  For
us, it was a combination of the productivity loss (for both users and
desktop support staff) and the need for a cost-effective solution that was
going to have the best results.  Paying $50,000+ for a solution that was
still going to leave us exposed to the 0-day stuff wasn't an ideal option.  
We also went by the numbers; based on our analysis prior to dropping
.ZIPs, a minimum of 86% of the .ZIPs we delivered were likely generated by
email-borne viruses.

We had had a small number of users complain about the .ZIP filtering, and
we're still working toward a solution that better meets there needs.  But
for the majority of our user base, I think it's worked well.  Currently,
to receive a .ZIP or "Type I" attachment, the sender must change the
extension prior to sending it.  We considered defanging, but chose not to
in the interest of better system performance.

--Brian

______________________________________________
Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
+1 202.687.2775





More information about the unisog mailing list