[unisog] New virus - not caught by central servers (fwd)
rjgasper at kings.edu
Wed Jul 28 15:40:19 GMT 2004
We quarantine all zip files. We also use IF the person wants them they
let us know. I know King's is a small school but ever since we
quarantined zips, we have had only one non IT person ask for a zip. This
has been effect for a few months. We do scan the quarantine folder and
notify someone if we see a zip file. Also we scan all attachments before
they get opened. (spam filter, email server, and desktop).
What we block: We started off with Martin Blackstone's List of dangerous
Same as above:
IT has worked well
Manager, Network Services
133 N. River St
Wilkes-Barre PA 18711
rjgasper at kings.edu
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Brian Reilly
Sent: Wednesday, July 28, 2004 11:11 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] New virus - not caught by central servers (fwd)
On Wed, 28 Jul 2004, Reg Quinton wrote:
> For those who subscribe we reject all the usual executable files but
> accept zips which we scan with ClamAV. We get caught (a bit) on 0-day
> problems and I've been arguing that we ought to block zips as well...
> stop worrying about the AV filter on incoming mail.
> Some people claim that if you block zips then they can't get their
> done. Apparently people at Columbia do get their work done.
> How has your user community accomodated your e-mail security
> when they really need to send a zip (or exe, etc.) how do they do it?
We block Microsoft "Type I" attachments and .ZIPs as well, with very
success. (Being able to say "Columbia does this too" was helpful.) For
us, it was a combination of the productivity loss (for both users and
desktop support staff) and the need for a cost-effective solution that
going to have the best results. Paying $50,000+ for a solution that was
still going to leave us exposed to the 0-day stuff wasn't an ideal
We also went by the numbers; based on our analysis prior to dropping
.ZIPs, a minimum of 86% of the .ZIPs we delivered were likely generated
We had had a small number of users complain about the .ZIP filtering,
we're still working toward a solution that better meets there needs.
for the majority of our user base, I think it's worked well. Currently,
to receive a .ZIP or "Type I" attachment, the sender must change the
extension prior to sending it. We considered defanging, but chose not
in the interest of better system performance.
Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
unisog mailing list
unisog at lists.sans.org
More information about the unisog