Re: Are you still looking for an excuse to block executable attachments?

From: Jeff Wright (JWright_at_DC-OPERA.ORG)
Date: 01/28/04

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "MS announces change in IE behavior"
    Date:         Tue, 27 Jan 2004 18:48:54 -0500

    Russ--While I agree with you in principle at least, I have to take
    partial exception in practice. At my .org, I drop *most* attachments at
    the firewall and then set the same for attachment blocking on our
    Exchange-based a/v (TrendMicro ScanMail--an excellent product). .zip
    attachments are not among these, but ScanMail is set to go 5 compression
    layers deep in scanning. Pretty much, the only other things I let
    through are office files and jpegs. The rest go to the ether. So far,
    so good. We weathered the August 2003 storms with nary a blip and
    MyDoom has been caught and defanged by the a/v (which is set to
    auto-update every _hour_).

    The only attachments that are allowed through have legitimate business
    use and I would be very relucant to stop these as well; they do have
    value. Sure, we could probably set up some other system to transfer
    files in and out, but most users don't have the savvy to do most
    anything beyond clicking "send." I shudder to think of our more
    technophobic users navigating an FTP client.

    The answer to me has been a multi-layered defense (firewall, Exchange
    a/v, desktop/server a/v and lastly (gad) the user) and user
    indocrination (notice I didn't say "education"). I'll keep sending out
    warnings and reminders as to what _not_ to do with attachments they
    receive until the staff revolts. This is going on 2 years now and we
    have 100% success. Knock on wood, I'll keep this up until it's broke.

    Jeff Wright
    Director of Information Systems
    The Washington Opera

    NTBugtraq Editor's Note:

    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "MS announces change in IE behavior"