RE: Schedule incoming external mail

  • From: "jh" <jthart@xxxxxxxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Tue, 24 Aug 2004 16:23:47 -0600

Thanks, I'll take your warning on encrypted zip's on board and see what
our options are.


> > 1. We do currently block executable attachments but unfortunately this
> > happens on the mail server.  I'd need to investigate further into =
> blocking
> > at the firewall.  The third layer of antivirus I mentioned is at the
> > gateway.  Fortunately we have standardised to a single email client =
> making
> > policy setting a lot easier.  Although total attachment blocking is =
> too
> > harsh for our business requirements, I could see potential to ramp =
> this up
> > either at the firewall (if possible) or using ScanMail attachment
> > blocking.
> If they are being blocked at the server, that should be fine, unless you =
> are
> saying some how users are able to access their e-mail BEFORE the =
> attachments
> are blocked.
> > 3. On a couple of occasions I've had messages come through to myself
> > (latest Bagle and I can't recall the other one).  I only had to look =
> at it
> > to see that it was a virus so I set to work to find a scanner that =
> could
> > pick it up - on one occasion neither Trend or Symantec did.  I then =
> tried
> > a couple of on-line scanners, again with no success.  I believe =
> running
> > multiple antivirus is good idea (that's why we're doing it) but it
> > certainly isn't a cure-all.
> OK, here is a big warning. If a virus is in an encrypted zip file, a =
> virus
> scanner WILL NOT SEE THE VIRUS! What they can do eventually is see the
> pattern that is used. This would include such things as the image file =
> name
> that the password is in, or the file size, or the name of the file =
> within
> the zip. Bagle is if I remember the first one that started using =
> encrypted
> zip files. This is why when a virus comes out using an encrypted zip, it
> takes a lot longer for the AV companies to come out with the =
> definitions.
> The software I use will first run the virus scanners against it, and if =
> they
> do not report a virus, then can ban the message based on attachment =
> name,
> attachment extension, if it is an encrypted zip, if it is a zip and even =
> it
> the zip file contains banned attachments.
> > One of the other posters made the point of training of users which is
> > something I try to strike a balance of letting them know of new virus
> > while not doing it so often that see it as a "cry wolf".  Considering =
> the
> > vulnerability of antivirus described I see this as probably the =
> greatest
> > means of defence.  Our worst "hit" however was the result of someone =
> who
> > did know better - what do you do!
> Well, I too went through that. The owner of one of my clients received a =
> zip
> file in with a forged from address, assumed it must be OK since it was =
> in a
> zip, then opened it and ran the hotpictures_scr what ever thinking that =
> some
> one sent him pictures, (he always receives pictures as part of jokes, =
> why I
> hate the passing of jokes,) and whamo, 12 hours of labor and the network
> down for the day and I hope he learned his lesson. Since then, I have a =
> very
> strict policy of banning all potentially malicious executable files =
> within
> zip files, as well as banning all encrypted zip files. Users are given
> inscructions on what to do. Yes, it is work on their part. I have as =
> clients
> a printing shop, a bank, a company dealing with medical billing and =
> records,
> (Can you say HIPPA?), a financial factoring company, a electronic =
> components
> company as well as some resteranunts and individual users, and all of =
> them
> agree and thank me for that policy.
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You

Other related posts: