Re: FW: Warning Message: Your services near to be closed.
- From: "Ruba Al-Omari" <romari@xxxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 16 Jun 2005 03:19:26 -0600
Inline
"My understanding is that any anti-virus product that wants to scan inside
the IS must use the VSAPI."
(ruba): true, when talking about scanning inside the IS, but you can scan
the message before it enters the IS and be in exchange message format,
MTA message scanning for example.(Each mail on entering the Internet Mail
Service is placed in the IN subdirectory. This is where antigen scans the
inbound queue for infected attachment. At this stage the IMS attempts to
deliver the message to the Microsoft Exchange Server computer for the
final delivery by the MTA (Message Transfer Agent) or the information
store to the recipients. If at this stage the recipient is not in the
particular site directory the message is sent to the out - subdirectory
and sent to the next IMS. At this point the message leaves the environment
unscanned by VSAPI (GFI)).
Also In-memory scanning done by Antigen minimizes impact on the Exchange
server for optimum protection and efficiency, which can?t be done with
GFI.
"FYI, if a message is infected with a virus laden attachment, the message
is worthless. There is no legit reason to remove or otherwise clean the
message and then send it on its way. This is an extremely bad practice
that some anti-virus engines insist on doing. We consider those messages
worthless and only cause confusion and problems with and for users."
(ruba): Actually this is exactly what am saying, GFI insists on not
deleting neither the message nor the attachment, it only quarantines it if
it violates the Trojan and Executable scanner rule and wait for the
administrator to approve or reject the Trojan.
"In best case scenario, that works. However, being proactive and watching
what is happening on the server tells me a lot quicker about a new virus
than waiting for a notice. I have found Sophos notices to be about the
quickest, but even then it takes a hour or more for the notice to be sent
out. What we have to rely on is multiple layers of defense. In my case, I
ban all executable type files which has stopped cold new virus outbreaks
as they start."
(ruba): being proactive is not the way to go about it, being preemptive
is. I mentioned the notifications because I was listing what would be good
to have in GFI not because administrators should rely on the
notifications.
"Now, I am not saying you should use/rely on GFI, as all products have
pluses and minuses."
(ruba): totally agree, the exchange server anti virus shouldn?t be thought
of as being the only measure to secure the network, you should look into
everything else as well(starting with your router access list, hardware
firewall, your ISA 2004, your VLANs segmentation filtering, your data
SSLed, your wireless firewalled and separated from your wired, your VPN
tunnel security, your user?s desktops firewalled and scanned, your users?
security awareness, your biometrics, strong passwords, etc?this can go on
for few pages) and most important is to know that after all your LAN is
not 100% secure and will not be unless its basically unavailable most of
the times.
r.
Other related posts:
