[unisog] Request Opinions on Anti-Virus Software

PaulFM paulfm at me.umn.edu
Mon Jun 6 15:56:22 GMT 2005


Virii will ALWAYS find a way to get to the user, so blocking is only a 
stop-gap solution.  Unfortunately, shielding users too much can give them a 
sense of complete security (which, over time could be very dangerous).  Part 
of a user's training - is exposure.


If one user with a virus can take down your network - you have some serious 
problems and you should re-think your security policies.  I have actually had 
a user or two go through the trouble of running the virus in a zip file on 
managed machines (the cure was to simply reboot the machine - as the machine 
was secure to the point that no user had access to change critical settings 
nor files on the machine itself).  It did not take down our network - it only 
sent out e-mails and tried to directly infect other machines (I was actually 
impressed that someone had finally made a virus that would run without 
problems on a secure machine [except it couldn't install itself 
permanently]).   We also support user managed machines on our network - they 
get virii all the time (but they don't take our network down).

Always assume that your user's (including yourself) will get virii that you 
may not detect.  Which is why you should never give any user, who is not well 
trained, any access to a machine which they may (intentionally or accidently) 
use to damage the configuration of the machine so other users are at risk - 
and any such access should use a special account.  So if a user DEMANDS 
administrative access to a machine - take it off the domain (or at least 
restrict who may log into it) so other users won't be able to use it (and 
risk their files).


Nguyen, Minh wrote:

> Paul,
> 
> For you to stated "you should not have block .zip files as they require
> work on the user's part to make them dangerous" is unfair.
> 
> We block .zip and a bunch of other files.  This has great reduced the
> amount a viruses that our desktop antivirus detected.   I understand
> your concern with blocking out zip files.  But the reality is that no
> matter how much user education you have, someone will always open up a
> zip file that is a virus.  One user can essential take down your
> network.
> 
> Blocking out .zip files does not prevent the users from receiving
> legitimate zip files.   All the sender needs to do is rename the .zip
> extension to something else, and it will bypass the blocking.  In
> addition, if someone needs a zip file that was blocked, all they need to
> do is ask for it to be released.  In my office of 50 people, we get
> about 1 request every 6 weeks (may even longer).   People have learned
> how to work around the attachment problem when it's a legitimate reason.
> 
> Minh
> ____________________________________________
> 
> Minh Nguyen
> Assistant Dean of Technology
> College of Letters & Science Deans' Office
> mailto:mtnguyen at ucdavis.edu (530)752-7647
> 
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of PaulFM
> Sent: Monday, June 06, 2005 7:49 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Request Opinions on Anti-Virus Software
> 
> So what you are saying is - with proper user education - you would not
> have to block zips and it would still be as effective (zips don't open
> automaticaly in any mail reader I know of by default).
> 
> Do you block .doc and .xls files as well?   You should not have to block
> .zip 
> files as they require work on the user's part to make them dangerous.
> 
> 
> Jason Richardson wrote:
> 
> 
>>We are also site licensed for McAfee and we're mostly running version
> 
> 8
> 
>>with some 7 and even 4.5.1 mixed in here and there.   We run CLAM AV
> 
> at
> 
>>the gateway.  I'm sure that some of the malware would be getting by 
>>because that's the nature of the beast with signature based AV 
>>detection/prevention but when we started blocking ZIP files at the 
>>mail gateway (and others but ZIPs have made the biggest difference by 
>>far) about 6 months ago the occurrence of viruses on admininstrative 
>>campus PCs dropped off dramatically.  Blocking ZIPs has easily been 
>>the most effective thing that we have done to stop virus infections on
> 
> 
>>our campus.
>>
>>---
>>Jason Richardson
>>Manager, IT Security and Client Development Enterprise Systems Support
> 
> 
>>Northern Illinois University
>>Voice: 815-753-1678
>>Fax: 815-753-2555
>>jasrich at niu.edu
>>
>>
>>
>>>>>AJTIRDIL at salisbury.edu 6/3/2005 6:25:58 PM >>>
>>
>>Hello Andy,
>>
>>At Salisbury University, MD...we are also have the same AV license and
> 
> 
>>run the mcafee update server locally.  There has been one situation we
> 
> 
>>encountered where McAfee didnt have the updates out in time and many 
>>campus machines got infected.  So I guess it has not been a big issue 
>>for us.  However we have a frontdoor firewall that has AV capabilities
>>(Fortigate-800) and it catches a lot of the HTTP/SMTP viruses 
>>in-transit.  Plus our mail system scans itself, so thats double the 
>>mail protection.
>>
>>One thing I would be curious to know is the version you are using, all
> 
> 
>>our students and university owned systems are running McAfee 
>>Enterprise 8.0i  I see a good improvement in detection over the 7.0 
>>series (especially non-virus types of stuff like adware/spyware).
>>
>>-Alex T
>>Salisbury University
>>
>>
>>
>>>>>andy at umbc.edu 06/03 5:16 PM >>>
>>
>>
>>Hi, folks.
>>
>>UMBC has a site license McAfee Anti-Virus software and a server on our
> 
> 
>>network that mirrors DAT updates.  We've noticed that we are 
>>frequently seeing malware infecting campus systems well before 
>>(sometimes several
>>days) the DAT update that handles the problem appears.
>>
>>Has anyone else had similar problems?
>>
>>How do other McAfee users feel about it?
>>
>>Symantec users: How do you feel about Symantec?
>>
>>We're trying to decide which way to go for AV software.
>>
>>Opinions, gripes and grumbles welcome and encouraged.  Please respond 
>>to the list in case anyone else is facing the same issues.
>>
>>Thanks,
>>
>>- Andy Johnston
>>
>>
> 
> ------------------------------------------------------------------------
> ---
> 
>>** Andy Johnston (andy at umbc.edu)         *                            
>>
>> **
>>** IT Security                           *PGP key:(afj2005)
>>4096/1BB51DFA**
>>** Office of Information Technology, UMBC* 88 CA 0D 45 C2 0E 0B 0F 3F
>>55 **
>>** 410-455-2583 (v)/410-455-1065 (f)     * 7A BD FE 3C 84 6F 1B B5 1D
>>FA **
>>----------------------------------------------------------------------
>>-----
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
> 
> 
> --
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly those of the
> author(s).  The content of this message has not been reviewed nor
> approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list