[unisog] New virus - not caught by central servers (fwd)

Gasper, Rick rjgasper at kings.edu
Wed Jul 28 15:40:19 GMT 2004

We quarantine all zip files.  We also use IF the person wants them they
let us know.  I know King's is a small school but ever since we
quarantined zips, we have had only one non IT person ask for a zip. This
has been effect for a few months. We do scan the quarantine folder and
notify someone if we see a zip file. Also we scan all attachments before
they get opened. (spam filter, email server, and desktop).

What we block: We started off with Martin Blackstone's List of dangerous
http://tinyurl.com/5s2dx or

Same as above:

IT has worked well

Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA  18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
rjgasper at kings.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Brian Reilly
Sent: Wednesday, July 28, 2004 11:11 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] New virus - not caught by central servers (fwd)

On Wed, 28 Jul 2004, Reg Quinton wrote:

> For those who subscribe we reject all the usual executable files but
> accept zips which we scan with ClamAV. We get caught (a bit) on 0-day
> problems and I've been arguing that we ought to block zips as well...
> stop worrying about the AV filter on incoming mail.
> Some people claim that if you block zips then they can't get their
> done. Apparently people at Columbia do get their work done.
> How has your user community accomodated your e-mail security
filtering? Ie.
> when they really need to send a zip (or exe, etc.) how do they do it?

We block Microsoft "Type I" attachments and .ZIPs as well, with very
success.  (Being able to say "Columbia does this too" was helpful.)  For
us, it was a combination of the productivity loss (for both users and
desktop support staff) and the need for a cost-effective solution that
going to have the best results.  Paying $50,000+ for a solution that was
still going to leave us exposed to the 0-day stuff wasn't an ideal
We also went by the numbers; based on our analysis prior to dropping
.ZIPs, a minimum of 86% of the .ZIPs we delivered were likely generated
email-borne viruses.

We had had a small number of users complain about the .ZIP filtering,
we're still working toward a solution that better meets there needs.
for the majority of our user base, I think it's worked well.  Currently,
to receive a .ZIP or "Type I" attachment, the sender must change the
extension prior to sending it.  We considered defanging, but chose not
in the interest of better system performance.


Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
+1 202.687.2775

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list