[unisog] Request Opinions on Anti-Virus Software

Nguyen, Minh Nguyen at lsdo.ucdavis.edu
Mon Jun 6 15:27:53 GMT 2005


For you to stated "you should not have block .zip files as they require
work on the user's part to make them dangerous" is unfair.

We block .zip and a bunch of other files.  This has great reduced the
amount a viruses that our desktop antivirus detected.   I understand
your concern with blocking out zip files.  But the reality is that no
matter how much user education you have, someone will always open up a
zip file that is a virus.  One user can essential take down your

Blocking out .zip files does not prevent the users from receiving
legitimate zip files.   All the sender needs to do is rename the .zip
extension to something else, and it will bypass the blocking.  In
addition, if someone needs a zip file that was blocked, all they need to
do is ask for it to be released.  In my office of 50 people, we get
about 1 request every 6 weeks (may even longer).   People have learned
how to work around the attachment problem when it's a legitimate reason.


Minh Nguyen
Assistant Dean of Technology
College of Letters & Science Deans' Office
mailto:mtnguyen at ucdavis.edu (530)752-7647

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of PaulFM
Sent: Monday, June 06, 2005 7:49 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Request Opinions on Anti-Virus Software

So what you are saying is - with proper user education - you would not
have to block zips and it would still be as effective (zips don't open
automaticaly in any mail reader I know of by default).

Do you block .doc and .xls files as well?   You should not have to block
files as they require work on the user's part to make them dangerous.

Jason Richardson wrote:

> We are also site licensed for McAfee and we're mostly running version
> with some 7 and even 4.5.1 mixed in here and there.   We run CLAM AV
> the gateway.  I'm sure that some of the malware would be getting by 
> because that's the nature of the beast with signature based AV 
> detection/prevention but when we started blocking ZIP files at the 
> mail gateway (and others but ZIPs have made the biggest difference by 
> far) about 6 months ago the occurrence of viruses on admininstrative 
> campus PCs dropped off dramatically.  Blocking ZIPs has easily been 
> the most effective thing that we have done to stop virus infections on

> our campus.
> ---
> Jason Richardson
> Manager, IT Security and Client Development Enterprise Systems Support

> Northern Illinois University
> Voice: 815-753-1678
> Fax: 815-753-2555
> jasrich at niu.edu
>>>>AJTIRDIL at salisbury.edu 6/3/2005 6:25:58 PM >>>
> Hello Andy,
> At Salisbury University, MD...we are also have the same AV license and

> run the mcafee update server locally.  There has been one situation we

> encountered where McAfee didnt have the updates out in time and many 
> campus machines got infected.  So I guess it has not been a big issue 
> for us.  However we have a frontdoor firewall that has AV capabilities
> (Fortigate-800) and it catches a lot of the HTTP/SMTP viruses 
> in-transit.  Plus our mail system scans itself, so thats double the 
> mail protection.
> One thing I would be curious to know is the version you are using, all

> our students and university owned systems are running McAfee 
> Enterprise 8.0i  I see a good improvement in detection over the 7.0 
> series (especially non-virus types of stuff like adware/spyware).
> -Alex T
> Salisbury University
>>>>andy at umbc.edu 06/03 5:16 PM >>>
> Hi, folks.
> UMBC has a site license McAfee Anti-Virus software and a server on our

> network that mirrors DAT updates.  We've noticed that we are 
> frequently seeing malware infecting campus systems well before 
> (sometimes several
> days) the DAT update that handles the problem appears.
> Has anyone else had similar problems?
> How do other McAfee users feel about it?
> Symantec users: How do you feel about Symantec?
> We're trying to decide which way to go for AV software.
> Opinions, gripes and grumbles welcome and encouraged.  Please respond 
> to the list in case anyone else is facing the same issues.
> Thanks,
> - Andy Johnston
> ** Andy Johnston (andy at umbc.edu)         *                            
>  **
> ** IT Security                           *PGP key:(afj2005)
> 4096/1BB51DFA**
> ** Office of Information Technology, UMBC* 88 CA 0D 45 C2 0E 0B 0F 3F
> 55 **
> ** 410-455-2583 (v)/410-455-1065 (f)     * 7A BD FE 3C 84 6F 1B B5 1D
> FA **
> ----------------------------------------------------------------------
> -----
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly those of the
author(s).  The content of this message has not been reviewed nor
approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list