[unisog] Request Opinions on Anti-Virus Software

Jason Richardson A00JER1 at wpo.cso.niu.edu
Mon Jun 6 18:50:11 GMT 2005


That's not really what I am saying at all but I'll concede that if we
could get users not to open ZIPs (or type in the provided password for
unlocking them) unless they were 100% sure of what they were and where
they came from that it would be as effective as blocking them but that's
the rub isn't it?  Regardless of how much training we provide or how
often we slap their hands, users will hurt themselves and those around
them by doing dangerous and stupid things.  Given that as a truth on at
least our campus, I'll stick to my original statement that taking that
gun out of their hands (i.e., blocking all ZIPs at the gateway) has been
the single most effective measure that we have taken to prevent
infections on admin machines.  We don't currently block .doc or .xls
because we haven't seen a macro virus or some other virus that CLAM and
McAfee don't recognize in quite a while.  If we saw one, I wouldn't
hesitate to block them at at the gateway too, at least temporarily.

> ---
> Jason Richardson
> Manager, IT Security and Client Development
> Enterprise Systems Support
> Northern Illinois University
> Voice: 815-753-1678
> Fax: 815-753-2555
> jasrich at niu.edu 

>>> paulfm at me.umn.edu 06/06 9:49 AM >>>
So what you are saying is - with proper user education - you would not
have 
to block zips and it would still be as effective (zips don't open 
automaticaly in any mail reader I know of by default).

Do you block .doc and .xls files as well?   You should not have to
block .zip 
files as they require work on the user's part to make them dangerous.


Jason Richardson wrote:

> We are also site licensed for McAfee and we're mostly running version
8
> with some 7 and even 4.5.1 mixed in here and there.   We run CLAM AV
at
> the gateway.  I'm sure that some of the malware would be getting by
> because that's the nature of the beast with signature based AV
> detection/prevention but when we started blocking ZIP files at the
mail
> gateway (and others but ZIPs have made the biggest difference by
far)
> about 6 months ago the occurrence of viruses on admininstrative
campus
> PCs dropped off dramatically.  Blocking ZIPs has easily been the
most
> effective thing that we have done to stop virus infections on our
> campus.
> 
> ---
> Jason Richardson
> Manager, IT Security and Client Development
> Enterprise Systems Support
> Northern Illinois University
> Voice: 815-753-1678
> Fax: 815-753-2555
> jasrich at niu.edu 
> 
> 
>>>>AJTIRDIL at salisbury.edu 6/3/2005 6:25:58 PM >>>
> 
> Hello Andy,
> 
> At Salisbury University, MD...we are also have the same AV license
and
> run the mcafee update server locally.  There has been one situation
we
> encountered where McAfee didnt have the updates out in time and many
> campus machines got infected.  So I guess it has not been a big
issue
> for us.  However we have a frontdoor firewall that has AV
capabilities
> (Fortigate-800) and it catches a lot of the HTTP/SMTP viruses
> in-transit.  Plus our mail system scans itself, so thats double the
> mail
> protection.
> 
> One thing I would be curious to know is the version you are using,
all
> our students and university owned systems are running McAfee
> Enterprise
> 8.0i  I see a good improvement in detection over the 7.0 series
> (especially non-virus types of stuff like adware/spyware).
> 
> -Alex T
> Salisbury University
> 
> 
>>>>andy at umbc.edu 06/03 5:16 PM >>>
> 
> 
> Hi, folks.
> 
> UMBC has a site license McAfee Anti-Virus software and a server on
our
> network that mirrors DAT updates.  We've noticed that we are
> frequently
> seeing malware infecting campus systems well before (sometimes
several
> days) the DAT update that handles the problem appears.
> 
> Has anyone else had similar problems?
> 
> How do other McAfee users feel about it?
> 
> Symantec users: How do you feel about Symantec?
> 
> We're trying to decide which way to go for AV software.
> 
> Opinions, gripes and grumbles welcome and encouraged.  Please
respond
> to
> the list in case anyone else is facing the same issues.
> 
> Thanks,
> 
> - Andy Johnston
> 
>
---------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)         *                           

> 
>  **
> ** IT Security                           *PGP key:(afj2005)
> 4096/1BB51DFA**
> ** Office of Information Technology, UMBC* 88 CA 0D 45 C2 0E 0B 0F
3F
> 55 **
> ** 410-455-2583 (v)/410-455-1065 (f)     * 7A BD FE 3C 84 6F 1B B5
1D
> FA **
>
---------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/unisog 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/unisog 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/unisog 

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm 
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org 
http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list