Thanks, I'll take your warning on encrypted zip's on board and see what our options are. Regards > > 1. We do currently block executable attachments but unfortunately this > > happens on the mail server. I'd need to investigate further into = > blocking > > at the firewall. The third layer of antivirus I mentioned is at the > > gateway. Fortunately we have standardised to a single email client = > making > > policy setting a lot easier. Although total attachment blocking is = > too > > harsh for our business requirements, I could see potential to ramp = > this up > > either at the firewall (if possible) or using ScanMail attachment > > blocking. > > If they are being blocked at the server, that should be fine, unless you = > are > saying some how users are able to access their e-mail BEFORE the = > attachments > are blocked. > > > 3. On a couple of occasions I've had messages come through to myself > > (latest Bagle and I can't recall the other one). I only had to look = > at it > > to see that it was a virus so I set to work to find a scanner that = > could > > pick it up - on one occasion neither Trend or Symantec did. I then = > tried > > a couple of on-line scanners, again with no success. I believe = > running > > multiple antivirus is good idea (that's why we're doing it) but it > > certainly isn't a cure-all. > > OK, here is a big warning. If a virus is in an encrypted zip file, a = > virus > scanner WILL NOT SEE THE VIRUS! What they can do eventually is see the > pattern that is used. This would include such things as the image file = > name > that the password is in, or the file size, or the name of the file = > within > the zip. Bagle is if I remember the first one that started using = > encrypted > zip files. This is why when a virus comes out using an encrypted zip, it > takes a lot longer for the AV companies to come out with the = > definitions. > The software I use will first run the virus scanners against it, and if = > they > do not report a virus, then can ban the message based on attachment = > name, > attachment extension, if it is an encrypted zip, if it is a zip and even = > it > the zip file contains banned attachments. > > > One of the other posters made the point of training of users which is > > something I try to strike a balance of letting them know of new virus > > while not doing it so often that see it as a "cry wolf". Considering = > the > > vulnerability of antivirus described I see this as probably the = > greatest > > means of defence. Our worst "hit" however was the result of someone = > who > > did know better - what do you do! > > Well, I too went through that. The owner of one of my clients received a = > zip > file in with a forged from address, assumed it must be OK since it was = > in a > zip, then opened it and ran the hotpictures_scr what ever thinking that = > some > one sent him pictures, (he always receives pictures as part of jokes, = > why I > hate the passing of jokes,) and whamo, 12 hours of labor and the network > down for the day and I hope he learned his lesson. Since then, I have a = > very > strict policy of banning all potentially malicious executable files = > within > zip files, as well as banning all encrypted zip files. Users are given > inscructions on what to do. Yes, it is work on their part. I have as = > clients > a printing shop, a bank, a company dealing with medical billing and = > records, > (Can you say HIPPA?), a financial factoring company, a electronic = > components > company as well as some resteranunts and individual users, and all of = > them > agree and thank me for that policy. > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You