Re: Are you still looking for an excuse to block executable attachments?
From: Jeff Wright (JWright_at_DC-OPERA.ORG)
Date: Tue, 27 Jan 2004 18:48:54 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ--While I agree with you in principle at least, I have to take
partial exception in practice. At my .org, I drop *most* attachments at
the firewall and then set the same for attachment blocking on our
Exchange-based a/v (TrendMicro ScanMail--an excellent product). .zip
attachments are not among these, but ScanMail is set to go 5 compression
layers deep in scanning. Pretty much, the only other things I let
through are office files and jpegs. The rest go to the ether. So far,
so good. We weathered the August 2003 storms with nary a blip and
MyDoom has been caught and defanged by the a/v (which is set to
auto-update every _hour_).
The only attachments that are allowed through have legitimate business
use and I would be very relucant to stop these as well; they do have
value. Sure, we could probably set up some other system to transfer
files in and out, but most users don't have the savvy to do most
anything beyond clicking "send." I shudder to think of our more
technophobic users navigating an FTP client.
The answer to me has been a multi-layered defense (firewall, Exchange
a/v, desktop/server a/v and lastly (gad) the user) and user
indocrination (notice I didn't say "education"). I'll keep sending out
warnings and reminders as to what _not_ to do with attachments they
receive until the staff revolts. This is going on 2 years now and we
have 100% success. Knock on wood, I'll keep this up until it's broke.
Director of Information Systems
The Washington Opera
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.