Re: SOPHOS Antivirus

From: Mailman (mailman_at_anonymous.org)
Date: 05/30/04


Date: Sun, 30 May 2004 00:43:19 +0200

Leythos wrote:

> You need to look at two things right away:
>
> Firewall - use a firewall that allows for SMTP attachment filtering.
> This one feature can eliminate 99% of the virus infected inbound email
> to your system. This only works if you have your own email server(s),
> but I'm assuming that you do.

I am getting a bit fed-up with Leythos' "advice". In the best case it is off
topic (the OP was asking about Sophos, not opinions on security in
general), now it's outright misleading.

By definition a firewall has no mail filtering function. What you describe
above is an SMTP proxy + anti-virus filtering. They'll both work fine
without any firewall whatsoever, exactly as any firewall will work without
any proxies being involved.

Unfortunately an SMTP proxy will be effective only if you make sure your
users have no access to ANY other mail servers - which PHBs are less than
likely to accept ("I occasionally absolutely unconditionally NEED to look
at my private HotMail/AOL/Whatever account!").

> Anti-Virus - get Norton AV corporate edition and use it. Setup the
> updates for every 4 hours on the server and have the server push the
> updates to the desktops. We have Symantec AV Corporate edition setup to
> FORCE updates and scan's of users computers. You can even install (push)
> the AV software to every desktop using the remote installer (right from
> the server).

In my experience Norton has repeatedly failed to identify viruses. Even
worse, their way of filtering mail raises serious questions about data
security and confidentiality. There are enough good anti-virus programs
that will update automatically (or on command) and filter well without
passing your confidential information through Symantec's servers, not to
mention their outrageous subscription fees.

BTW - in a proxy role Sophos can be quite effective: after all what you need
is just to identify the presence of a virus (in order to block the
attachement/message), not clean it.

> Using these two methods we've eliminated ALL (100%) of inbound virus
> attachments from all the companies we manage.

Just means you were lucky. No anti-virus can catch 100% for the simple
reason that a virus needs to be seen and analysed before a signature can be
defined. Anyone who _guarantees_ to block 100% of incoming stuff is a good
candidate for buying prime beach-front property in northern Mali.

All of this completely ignores the at least as serious issues of worms and
trojans - which most anti-virus programs (including your beloved NAV) will
not identify at all.

> After you do the above, you need to look at HTTP filtering, filtering
> what sites users are permitted to access, and blocking ALL outbound
> access that is not strictly for business needs. You can even block IM
> and those sharing apps that people like to run from their computers to
> connect to home.

At last some reasonable advice: do not allow indiscriminate outgoing
connections (your users will scream bloody murder at this point: "Are you
out of your mind? No IM and no Kazaa?"), use a filtering proxy for outgoing
HTTP, disable all ActiveX (again a less than popular thing), disable
executable content (HTTP downloading).

-- 
Mailman


Relevant Pages

  • SBS2003 Anti Virus
    ... Yes - Use the AVD (Active Virus Defence) from Network ... Does hourly updates, has scanners for SMTP, Exchange, ... Server and will start at a 5 cal count for ...
    (microsoft.public.windows.server.sbs)
  • Re: Swen and Earthlink
    ... > virus problem like Swen. ... Contrary to what others are saying, message rules to ... > from the server are not working for me. ... > with it by filtering their servers. ...
    (microsoft.public.security.virus)
  • Re: Server Hangs !!!!
    ... server.After restarting i See many error logs in Event viewer with Event ... ID:2019, Source: Srv, Desc: The server was unable to allocate from the ... > Then i run stinger to find any virus, i found natsky virus in Badmail ... Service packs and updates are not sufficient ...
    (microsoft.public.win2000.general)
  • Re: Windows 98SE Internet Connection Sharing
    ... I have a major job each week updating many virus data bases. ... there's so called anti-virus server which only cover e- ... out for the other systems to use as a "Folder" it updates the AVG from. ...
    (comp.sys.ibm.ps2.hardware)
  • w32.welchia.worm (Symantec def.)
    ... After writing binary zeroes over my entire disk array and ... reformatting the disks I loaded W2K server. ... updates were necessary and applied them. ... the NAV virus from my NAV server with the 8/27 virus ...
    (microsoft.public.win2000.security)