[unisog] New virus - not caught by central servers (fwd)

Gasper, Rick rjgasper at kings.edu
Wed Jul 28 15:40:19 GMT 2004


We quarantine all zip files.  We also use IF the person wants them they
let us know.  I know King's is a small school but ever since we
quarantined zips, we have had only one non IT person ask for a zip. This
has been effect for a few months. We do scan the quarantine folder and
notify someone if we see a zip file. Also we scan all attachments before
they get opened. (spam filter, email server, and desktop).


What we block: We started off with Martin Blackstone's List of dangerous
attachments: 
 
http://tinyurl.com/5s2dx or

Same as above:
http://www.exchangefaq.org/faq/Exchange-5.5/Martin-Blackston
e's-List-of-Danger/sectionID/1028


IT has worked well

Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA  18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
rjgasper at kings.edu



-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Brian Reilly
Sent: Wednesday, July 28, 2004 11:11 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] New virus - not caught by central servers (fwd)


On Wed, 28 Jul 2004, Reg Quinton wrote:

> For those who subscribe we reject all the usual executable files but
still
> accept zips which we scan with ClamAV. We get caught (a bit) on 0-day
> problems and I've been arguing that we ought to block zips as well...
and
> stop worrying about the AV filter on incoming mail.
> 
> Some people claim that if you block zips then they can't get their
work
> done. Apparently people at Columbia do get their work done.
> 
> How has your user community accomodated your e-mail security
filtering? Ie.
> when they really need to send a zip (or exe, etc.) how do they do it?
> 

We block Microsoft "Type I" attachments and .ZIPs as well, with very
good
success.  (Being able to say "Columbia does this too" was helpful.)  For
us, it was a combination of the productivity loss (for both users and
desktop support staff) and the need for a cost-effective solution that
was
going to have the best results.  Paying $50,000+ for a solution that was
still going to leave us exposed to the 0-day stuff wasn't an ideal
option.  
We also went by the numbers; based on our analysis prior to dropping
.ZIPs, a minimum of 86% of the .ZIPs we delivered were likely generated
by
email-borne viruses.

We had had a small number of users complain about the .ZIP filtering,
and
we're still working toward a solution that better meets there needs.
But
for the majority of our user base, I think it's worked well.  Currently,
to receive a .ZIP or "Type I" attachment, the sender must change the
extension prior to sending it.  We considered defanging, but chose not
to
in the interest of better system performance.

--Brian

______________________________________________
Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
+1 202.687.2775


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list