[ExchangeList] Re: file filtering best practice?

  • From: "Arnold, Jamie" <harnold@xxxxxxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 25 Jul 2006 09:08:46 -0400

Thanks, Rick:

 

I've actually used Antigen from it's inception.  They were the only
cluster aware product back in 1997.  This issue is larger than that
unfortunately.  I'm looking at our main campus mail system which is *IX
based (Cyrus and Sendmail).  We currently use a Barracuda as the edge
proxy and it works wonderfully.  We get around 1 million emails a day
and drop over 96% of them due to file filtering or infection.
Currently, we simply drop emails with certain file extensions as we have
over 48,000 unique email addresses and asking every user to monitor and
maintain their quarantine space would be a staggering undertaking.  Many
would simply never look there and the storage requirements for some
940,000 emails daily is, well...enormous.  

 

I use Antigen in the manner you mentioned, but we only have around 1000
mailboxes on the Exchange boxen right now.

 

Thanks

 

From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Boza
Sent: Tuesday, July 25, 2006 8:56 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Re: file filtering best practice?

 

I've had great experiences with Antigen (formerly Sybari, now Microsoft)
on this very topic.  Antigen opens all zips and quarantines those that
have infections.  Password protected ones can be automatically
quarantined.  Another great feature is the ability to scan and/or filter
files that have had their extensions changed in an attempt to get past a
mail filter - it opens the file up and examines it rather than just
relying on .zip as the extension to identify it.

Great stuff.

Rick


On 7/25/06 8:49 AM, "Arnold, Jamie" <harnold@xxxxxxxxxxxxxx> wrote:

Martin:
 
May I ask what you use to quarantine them?
 
Thanks
 

From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Martin
Blackstone
Sent: Tuesday, July 25, 2006 8:33 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Re: file filtering best practice?
 
We quarantine them, then release if they are OK.
The users don't love it, but they understand it.

________________________________


From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Arnold, Jamie
Sent: Tuesday, July 25, 2006 5:31 AM
To: exchangelist@xxxxxxxxxxxxx
Cc: Exchange2000@xxxxxxxxxxxxxxx
Subject: [ExchangeList] file filtering best practice?
In dealing with zip files specifically, I'm wondering what is considered
the "best practice"?  We simply remove the file at our edge proxy, but
have been getting a little flack from a few users. Our data shows that
nearly 94% of the .zip files that come in via email are infected so I'm
not likely to be convinced to allow them through.

What say you?

 

Other related posts: