> 1. We do currently block executable attachments but unfortunately this > happens on the mail server. I'd need to investigate further into blocking > at the firewall. The third layer of antivirus I mentioned is at the > gateway. Fortunately we have standardised to a single email client making > policy setting a lot easier. Although total attachment blocking is too > harsh for our business requirements, I could see potential to ramp this up > either at the firewall (if possible) or using ScanMail attachment > blocking. If they are being blocked at the server, that should be fine, unless you are saying some how users are able to access their e-mail BEFORE the attachments are blocked. > 3. On a couple of occasions I've had messages come through to myself > (latest Bagle and I can't recall the other one). I only had to look at it > to see that it was a virus so I set to work to find a scanner that could > pick it up - on one occasion neither Trend or Symantec did. I then tried > a couple of on-line scanners, again with no success. I believe running > multiple antivirus is good idea (that's why we're doing it) but it > certainly isn't a cure-all. OK, here is a big warning. If a virus is in an encrypted zip file, a virus scanner WILL NOT SEE THE VIRUS! What they can do eventually is see the pattern that is used. This would include such things as the image file name that the password is in, or the file size, or the name of the file within the zip. Bagle is if I remember the first one that started using encrypted zip files. This is why when a virus comes out using an encrypted zip, it takes a lot longer for the AV companies to come out with the definitions. The software I use will first run the virus scanners against it, and if they do not report a virus, then can ban the message based on attachment name, attachment extension, if it is an encrypted zip, if it is a zip and even it the zip file contains banned attachments. > One of the other posters made the point of training of users which is > something I try to strike a balance of letting them know of new virus > while not doing it so often that see it as a "cry wolf". Considering the > vulnerability of antivirus described I see this as probably the greatest > means of defence. Our worst "hit" however was the result of someone who > did know better - what do you do! Well, I too went through that. The owner of one of my clients received a zip file in with a forged from address, assumed it must be OK since it was in a zip, then opened it and ran the hotpictures_scr what ever thinking that some one sent him pictures, (he always receives pictures as part of jokes, why I hate the passing of jokes,) and whamo, 12 hours of labor and the network down for the day and I hope he learned his lesson. Since then, I have a very strict policy of banning all potentially malicious executable files within zip files, as well as banning all encrypted zip files. Users are given inscructions on what to do. Yes, it is work on their part. I have as clients a printing shop, a bank, a company dealing with medical billing and records, (Can you say HIPPA?), a financial factoring company, a electronic components company as well as some resteranunts and individual users, and all of them agree and thank me for that policy. John Tolmachoff Engineer/Consultant/Owner eServices For You