To add fresh example to my previous reply post: There is new 0 day exploit used by more addware/spyware....==Malware. If you have DownloadSecurity6, it blocks it. ISA2004 users without DownloadSecurity can use http header checking feature to Block this malicious code. Check if 302 reply is found with string in http header:" ms-its:" & "Help\iexplore.chm" Then block this connection . This is reply from webserver you have to block: ==== HTTP/1.1 302 Found Via: 1.0 ISASERVER Connection: Keep-Alive Proxy-Connection: Keep-Alive Content-Length: 4 Date: Tue, 08 Jun 2004 08:00:49 GMT Location: URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm Content-Type: text/html Server: Resin/2.1.11 ==== "Location: URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm" shouldn't pass trough otherwise this exploit works(Location should not point to your disk) If your clients run WinXP with SP2 they will be not affected if it passes trough ISA. Regards David Farinic ________________________________________ From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx] Sent: Thursday, 20 May 2004 5:38 p.m. To: [ISAserver.org Discussion List] Subject: [isalist] Re: GFI Download Security http://www.ISAserver.org Thanks, I seriously think this is something worth looking into. It is probably our #1 or #2 issue right now. It can take up to a few hours to clean a system from all the crap these (*&#$@(*& install. It is extremely prevelent on home PC's along with all the spyware. I am also working with the local school district to find a solution for their systems as well. They are having a hell of a time keeping their machines clean. Ray Dzek Network Operations Supervisor Specialized Bicycle Components -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, May 19, 2004 4:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: GFI Download Security http://www.ISAserver.org Hi Ray, That's a good question. I haven't researched yet what methods are used to installed scumware on user's computers. I'm sure a variety of methods are used. I plan to do this if/when I update the application layer filtering kit to version ISA 2004. I sure its as easy as blocking extensions and content types, but the devil is always in the details. Tom This mail was checked for malicious code and viruses by GFI MailSecurity. GFI MailSecurity provides email content checking, exploit detection, threats analysis and anti-virus for Exchange & SMTP servers. Viruses, Trojans, dangerous attachments and offensive content are removed automatically. Key features include: multiple virus engines; email content and attachment checking; an exploit shield; an HTML threats engine; a Trojan & Executable Scanner; and more. In addition to GFI MailSecurity, GFI also produces the GFI MailEssentials anti-spam software, the GFI FAXmaker fax server & GFI LANguard network security product ranges. For more information on our products, please visit http://www.gfi.com. This disclaimer was sent by GFI MailEssentials for Exchange/SMTP.