RE: Schedule incoming external mail
- From: "jh" <jthart@xxxxxxxxxxxxxx>
- To: exchangelist@xxxxxxxxxxxxx
- Date: Tue, 24 Aug 2004 16:23:47 -0600
Thanks, I'll take your warning on encrypted zip's on board and see what
our options are.
Regards
> > 1. We do currently block executable attachments but unfortunately this
> > happens on the mail server. I'd need to investigate further into =
> blocking
> > at the firewall. The third layer of antivirus I mentioned is at the
> > gateway. Fortunately we have standardised to a single email client =
> making
> > policy setting a lot easier. Although total attachment blocking is =
> too
> > harsh for our business requirements, I could see potential to ramp =
> this up
> > either at the firewall (if possible) or using ScanMail attachment
> > blocking.
>
> If they are being blocked at the server, that should be fine, unless you =
> are
> saying some how users are able to access their e-mail BEFORE the =
> attachments
> are blocked.
>
> > 3. On a couple of occasions I've had messages come through to myself
> > (latest Bagle and I can't recall the other one). I only had to look =
> at it
> > to see that it was a virus so I set to work to find a scanner that =
> could
> > pick it up - on one occasion neither Trend or Symantec did. I then =
> tried
> > a couple of on-line scanners, again with no success. I believe =
> running
> > multiple antivirus is good idea (that's why we're doing it) but it
> > certainly isn't a cure-all.
>
> OK, here is a big warning. If a virus is in an encrypted zip file, a =
> virus
> scanner WILL NOT SEE THE VIRUS! What they can do eventually is see the
> pattern that is used. This would include such things as the image file =
> name
> that the password is in, or the file size, or the name of the file =
> within
> the zip. Bagle is if I remember the first one that started using =
> encrypted
> zip files. This is why when a virus comes out using an encrypted zip, it
> takes a lot longer for the AV companies to come out with the =
> definitions.
> The software I use will first run the virus scanners against it, and if =
> they
> do not report a virus, then can ban the message based on attachment =
> name,
> attachment extension, if it is an encrypted zip, if it is a zip and even =
> it
> the zip file contains banned attachments.
>
> > One of the other posters made the point of training of users which is
> > something I try to strike a balance of letting them know of new virus
> > while not doing it so often that see it as a "cry wolf". Considering =
> the
> > vulnerability of antivirus described I see this as probably the =
> greatest
> > means of defence. Our worst "hit" however was the result of someone =
> who
> > did know better - what do you do!
>
> Well, I too went through that. The owner of one of my clients received a =
> zip
> file in with a forged from address, assumed it must be OK since it was =
> in a
> zip, then opened it and ran the hotpictures_scr what ever thinking that =
> some
> one sent him pictures, (he always receives pictures as part of jokes, =
> why I
> hate the passing of jokes,) and whamo, 12 hours of labor and the network
> down for the day and I hope he learned his lesson. Since then, I have a =
> very
> strict policy of banning all potentially malicious executable files =
> within
> zip files, as well as banning all encrypted zip files. Users are given
> inscructions on what to do. Yes, it is work on their part. I have as =
> clients
> a printing shop, a bank, a company dealing with medical billing and =
> records,
> (Can you say HIPPA?), a financial factoring company, a electronic =
> components
> company as well as some resteranunts and individual users, and all of =
> them
> agree and thank me for that policy.
>
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
Other related posts:
