[unisog] Request Opinions on Anti-Virus Software

Nguyen, Minh Nguyen at lsdo.ucdavis.edu
Mon Jun 6 16:38:10 GMT 2005


Paul,

It's the multiple "stop-gap solution" that keeps my environment
relatively safe.  To me, the stop-gap measures include, user training,
antivirus software, attachment blocking, firewall, automatic updates,
pop-up blocker, constant security scan, and so on.  All of these can be
argued as stop-gap solution - but the cumulative effect is a relatively
secure environment.

My point was that it's unfair to make the statement "you should not
block .zip files."   Each of us work in a very different environment,
and different solution works for each of us differently.  In my office,
we are exclusively administrative staff (Deans, executive assistants,
assistant deans, budget analysts, counselors, etc) - so I have full
control over the computers.   I can block out .zip files and not grant
administrative rights with very little punitive damage.  However, at my
campus level (25,000 people), blocking out .zip files and removing all
administrative rights from non-system administrators can have a very
negative impact on professors research (or so they claim).   Even in my
own little environment, I have different policy for different group of
employees.  Student employees (50+) can't even download files from the
web.   Each of us must assess our environment and apply what works for
specific situation.

Along with firewall and automatic patching - I would say that blocking
of certain attachments is one of the best "security" thing I have done. 

Minh

PS - I am pretty happy with my security policy.  :D

____________________________________________

Minh Nguyen
Assistant Dean of Technology
College of Letters & Science Deans' Office
mailto:mtnguyen at ucdavis.edu (530)752-7647


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of PaulFM
Sent: Monday, June 06, 2005 8:56 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Request Opinions on Anti-Virus Software

Virii will ALWAYS find a way to get to the user, so blocking is only a
stop-gap solution.  Unfortunately, shielding users too much can give
them a sense of complete security (which, over time could be very
dangerous).  Part of a user's training - is exposure.


If one user with a virus can take down your network - you have some
serious problems and you should re-think your security policies.  I have
actually had a user or two go through the trouble of running the virus
in a zip file on managed machines (the cure was to simply reboot the
machine - as the machine was secure to the point that no user had access
to change critical settings nor files on the machine itself).  It did
not take down our network - it only sent out e-mails and tried to
directly infect other machines (I was actually impressed that someone
had finally made a virus that would run without problems on a secure
machine [except it couldn't install itself 
permanently]).   We also support user managed machines on our network -
they 
get virii all the time (but they don't take our network down).

Always assume that your user's (including yourself) will get virii that
you may not detect.  Which is why you should never give any user, who is
not well trained, any access to a machine which they may (intentionally
or accidently) use to damage the configuration of the machine so other
users are at risk - and any such access should use a special account.
So if a user DEMANDS administrative access to a machine - take it off
the domain (or at least restrict who may log into it) so other users
won't be able to use it (and risk their files).


Nguyen, Minh wrote:

> Paul,
> 
> For you to stated "you should not have block .zip files as they 
> require work on the user's part to make them dangerous" is unfair.
> 
> We block .zip and a bunch of other files.  This has great reduced the
> amount a viruses that our desktop antivirus detected.   I understand
> your concern with blocking out zip files.  But the reality is that no 
> matter how much user education you have, someone will always open up a

> zip file that is a virus.  One user can essential take down your 
> network.
> 
> Blocking out .zip files does not prevent the users from receiving
> legitimate zip files.   All the sender needs to do is rename the .zip
> extension to something else, and it will bypass the blocking.  In 
> addition, if someone needs a zip file that was blocked, all they need 
> to do is ask for it to be released.  In my office of 50 people, we get
> about 1 request every 6 weeks (may even longer).   People have learned
> how to work around the attachment problem when it's a legitimate
reason.
> 
> Minh
> ____________________________________________
> 
> Minh Nguyen
> Assistant Dean of Technology
> College of Letters & Science Deans' Office mailto:mtnguyen at ucdavis.edu

> (530)752-7647
> 
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of PaulFM
> Sent: Monday, June 06, 2005 7:49 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Request Opinions on Anti-Virus Software
> 
> So what you are saying is - with proper user education - you would not

> have to block zips and it would still be as effective (zips don't open

> automaticaly in any mail reader I know of by default).
> 
> Do you block .doc and .xls files as well?   You should not have to
block
> .zip
> files as they require work on the user's part to make them dangerous.
> 
> 
> Jason Richardson wrote:
> 
> 
>>We are also site licensed for McAfee and we're mostly running version
> 
> 8
> 
>>with some 7 and even 4.5.1 mixed in here and there.   We run CLAM AV
> 
> at
> 
>>the gateway.  I'm sure that some of the malware would be getting by 
>>because that's the nature of the beast with signature based AV 
>>detection/prevention but when we started blocking ZIP files at the 
>>mail gateway (and others but ZIPs have made the biggest difference by
>>far) about 6 months ago the occurrence of viruses on admininstrative 
>>campus PCs dropped off dramatically.  Blocking ZIPs has easily been 
>>the most effective thing that we have done to stop virus infections on
> 
> 
>>our campus.
>>
>>---
>>Jason Richardson
>>Manager, IT Security and Client Development Enterprise Systems Support
> 
> 
>>Northern Illinois University
>>Voice: 815-753-1678
>>Fax: 815-753-2555
>>jasrich at niu.edu
>>
>>
>>
>>>>>AJTIRDIL at salisbury.edu 6/3/2005 6:25:58 PM >>>
>>
>>Hello Andy,
>>
>>At Salisbury University, MD...we are also have the same AV license and
> 
> 
>>run the mcafee update server locally.  There has been one situation we
> 
> 
>>encountered where McAfee didnt have the updates out in time and many 
>>campus machines got infected.  So I guess it has not been a big issue 
>>for us.  However we have a frontdoor firewall that has AV capabilities
>>(Fortigate-800) and it catches a lot of the HTTP/SMTP viruses 
>>in-transit.  Plus our mail system scans itself, so thats double the 
>>mail protection.
>>
>>One thing I would be curious to know is the version you are using, all
> 
> 
>>our students and university owned systems are running McAfee 
>>Enterprise 8.0i  I see a good improvement in detection over the 7.0 
>>series (especially non-virus types of stuff like adware/spyware).
>>
>>-Alex T
>>Salisbury University
>>
>>
>>
>>>>>andy at umbc.edu 06/03 5:16 PM >>>
>>
>>
>>Hi, folks.
>>
>>UMBC has a site license McAfee Anti-Virus software and a server on our
> 
> 
>>network that mirrors DAT updates.  We've noticed that we are 
>>frequently seeing malware infecting campus systems well before 
>>(sometimes several
>>days) the DAT update that handles the problem appears.
>>
>>Has anyone else had similar problems?
>>
>>How do other McAfee users feel about it?
>>
>>Symantec users: How do you feel about Symantec?
>>
>>We're trying to decide which way to go for AV software.
>>
>>Opinions, gripes and grumbles welcome and encouraged.  Please respond 
>>to the list in case anyone else is facing the same issues.
>>
>>Thanks,
>>
>>- Andy Johnston
>>
>>
> 
> ----------------------------------------------------------------------
> --
> ---
> 
>>** Andy Johnston (andy at umbc.edu)         *                            
>>
>> **
>>** IT Security                           *PGP key:(afj2005)
>>4096/1BB51DFA**
>>** Office of Information Technology, UMBC* 88 CA 0D 45 C2 0E 0B 0F 3F
>>55 **
>>** 410-455-2583 (v)/410-455-1065 (f)     * 7A BD FE 3C 84 6F 1B B5 1D
>>FA **
>>----------------------------------------------------------------------
>>-----
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
> 
> 
> --
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly those of the 
> author(s).  The content of this message has not been reviewed nor 
> approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

--
---------------------------------------------------------------------
The views and opinions expressed above are strictly those of the
author(s).  The content of this message has not been reviewed nor
approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list