Re: Are you still looking for an excuse to block executable attachments?

From: Jeff Wright (JWright_at_DC-OPERA.ORG)
Date: 01/28/04

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "MS announces change in IE behavior"
    Date:         Tue, 27 Jan 2004 18:48:54 -0500

    Russ--While I agree with you in principle at least, I have to take
    partial exception in practice. At my .org, I drop *most* attachments at
    the firewall and then set the same for attachment blocking on our
    Exchange-based a/v (TrendMicro ScanMail--an excellent product). .zip
    attachments are not among these, but ScanMail is set to go 5 compression
    layers deep in scanning. Pretty much, the only other things I let
    through are office files and jpegs. The rest go to the ether. So far,
    so good. We weathered the August 2003 storms with nary a blip and
    MyDoom has been caught and defanged by the a/v (which is set to
    auto-update every _hour_).

    The only attachments that are allowed through have legitimate business
    use and I would be very relucant to stop these as well; they do have
    value. Sure, we could probably set up some other system to transfer
    files in and out, but most users don't have the savvy to do most
    anything beyond clicking "send." I shudder to think of our more
    technophobic users navigating an FTP client.

    The answer to me has been a multi-layered defense (firewall, Exchange
    a/v, desktop/server a/v and lastly (gad) the user) and user
    indocrination (notice I didn't say "education"). I'll keep sending out
    warnings and reminders as to what _not_ to do with attachments they
    receive until the staff revolts. This is going on 2 years now and we
    have 100% success. Knock on wood, I'll keep this up until it's broke.

    Jeff Wright
    Director of Information Systems
    The Washington Opera

    NTBugtraq Editor's Note:

    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "MS announces change in IE behavior"

    Relevant Pages

    • Re: Ongoing Virus problem
      ... Does your A/V say so, or how do you know it's ... not turn on AD filter in exchange? ... "susan" wrote in message ... >>>> getting some attachments stripped, ...
    • Re: Exchange Removing Suspious Attachments
      ... blocking does nix the chance that the A/V may not recognize a future ... attachments, ... You don't have to rely on the A/V ... than you do with SBS attachment blocking. ...
    • Re: Sending attachments
      ... I'll have access to the offending machine again ... Norton A/V installed. ... Is e-mail scanning enabled? ... and receive e-mails without any attachments, ...
    • Re: Incoming E-mail attachments being deleted
      ... OE doesn't delete attachments, but Norton could. ... change the settings in the A/V to not scan attachments. ... "Bill P" wrote in message ... I run Norton 2004 but don't think it's related to that. ...
    • [Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3(3)105
      ... Users of Cisco Pix Firewalls may discover that their pool of NAT'ted IP ... The problem is caused by the Firewall being swamped by incoming ICMP packets ... The information contained in this email and any attachments is ...