Re: SOPHOS Antivirus
From: Mailman (mailman_at_anonymous.org)
Date: Sun, 30 May 2004 00:43:19 +0200
> You need to look at two things right away:
> Firewall - use a firewall that allows for SMTP attachment filtering.
> This one feature can eliminate 99% of the virus infected inbound email
> to your system. This only works if you have your own email server(s),
> but I'm assuming that you do.
I am getting a bit fed-up with Leythos' "advice". In the best case it is off
topic (the OP was asking about Sophos, not opinions on security in
general), now it's outright misleading.
By definition a firewall has no mail filtering function. What you describe
above is an SMTP proxy + anti-virus filtering. They'll both work fine
without any firewall whatsoever, exactly as any firewall will work without
any proxies being involved.
Unfortunately an SMTP proxy will be effective only if you make sure your
users have no access to ANY other mail servers - which PHBs are less than
likely to accept ("I occasionally absolutely unconditionally NEED to look
at my private HotMail/AOL/Whatever account!").
> Anti-Virus - get Norton AV corporate edition and use it. Setup the
> updates for every 4 hours on the server and have the server push the
> updates to the desktops. We have Symantec AV Corporate edition setup to
> FORCE updates and scan's of users computers. You can even install (push)
> the AV software to every desktop using the remote installer (right from
> the server).
In my experience Norton has repeatedly failed to identify viruses. Even
worse, their way of filtering mail raises serious questions about data
security and confidentiality. There are enough good anti-virus programs
that will update automatically (or on command) and filter well without
passing your confidential information through Symantec's servers, not to
mention their outrageous subscription fees.
BTW - in a proxy role Sophos can be quite effective: after all what you need
is just to identify the presence of a virus (in order to block the
attachement/message), not clean it.
> Using these two methods we've eliminated ALL (100%) of inbound virus
> attachments from all the companies we manage.
Just means you were lucky. No anti-virus can catch 100% for the simple
reason that a virus needs to be seen and analysed before a signature can be
defined. Anyone who _guarantees_ to block 100% of incoming stuff is a good
candidate for buying prime beach-front property in northern Mali.
All of this completely ignores the at least as serious issues of worms and
trojans - which most anti-virus programs (including your beloved NAV) will
not identify at all.
> After you do the above, you need to look at HTTP filtering, filtering
> what sites users are permitted to access, and blocking ALL outbound
> access that is not strictly for business needs. You can even block IM
> and those sharing apps that people like to run from their computers to
> connect to home.
At last some reasonable advice: do not allow indiscriminate outgoing
connections (your users will scream bloody murder at this point: "Are you
out of your mind? No IM and no Kazaa?"), use a filtering proxy for outgoing
HTTP, disable all ActiveX (again a less than popular thing), disable
executable content (HTTP downloading).