Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 08/24/03
- Next message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.08.24"
- Previous message: B Prescott: "Windows Security Patch download problem."
- In reply to: Ken Schaefer: "Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]"
- Next in thread: Super_Geek: "Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Aug 2003 09:13:04 -0400
Well, firewalls don't tend to block email viruses, and antivirus doesn't
tend to block worms that spread like wildfire on the first day or three.
The Grisoft antivirus that we recommend so much around here only updates
every week [or month?] by default, and if the computer is not on line at the
time, who knows if the antivirus even gets updated ever. If I remember
correctly, Sobig only came out last Tuesday and spread wildly that same day,
so some copies of AVG haven't even tried to run the update since then, so
that wouldn't be the user's fault. Also, AVG's updates are at least a MB in
size each time you run the update, a bit of a problem for 56K home users.
Most organizations probably only had a few hours on Tuesday after the
discovery of the virus to get all their antivirus updates in place, and in
an organization of thousands of computers, or a mother at work while her
children are at home on line, that just isn't enough time to react. A few
hours is barely enough time to send out an email warning people, let alone
reach all the company's antivirus server and internet email gateway
administrators and get them to reconfigure all their devices.
There are a LOT of large organizations that had both firewalls and antivirus
that got Sobig and other worms. So, the problem is a little trickier than
just blaming the victim. It may make sense to blame the victim if a patch
or update is a few months old, but not if the update is just a few hours or
days old.
Having said that, I think Norton's corporate edition update scheme is way
better than many of the update solutions out there [both in terms of ability
to roll out small mini-updates of just a few KB on demand at the last minute
and watch which devices don't have it yet in a central server log], so I
think those customers may be in a little better position to roll out large
numbers of updates on demand. Unfortunately, people keep buying other crap
that doesn't do automatic updates as well.
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:edH0S6XaDHA.2648@TK2MSFTNGP09.phx.gbl...
> "Ogre" <Ogre@hotmail.com> wrote in message
> news:VYI1b.418$XB.6@news-binary.blueyonder.co.uk...
> : I wonder how bad this problem would be if the majority of home users
> : installed a firewall program or some kind of layered defence. I was
> talking
> : to a DSL user the other night and I asked him what firewall he was
using,
> he
> : replied ''What is a firewall?''
>
>
> Hi.
>
> The worm wouldn't even run if the user didn't open the received attachment
> in the first place.
>
> Users who have:
> a) firewalls (software or hardware)
> b) up-to-date antivirus
> c) some kind of software that protects them against registry changes
> usually don't open unsolicited .exe or .pif attachments from people they
> don't know!
>
> :-)
>
> Unfortunately, there will always be home, and small business users (and a
> few large businesses) that don't have the knowledge and/or infrastructure
to
> protect themselves. My organisation (large EDU) didn't have a problem
> on-campus per se, just a huge strain on the central AV filtering system
> (over a 48 hour period, we had about 15,000 Sobig messages/hour - I
imagine
> the peak period had many more messages/hour).
>
> Cheers
> Ken
>
>
- Next message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.08.24"
- Previous message: B Prescott: "Windows Security Patch download problem."
- In reply to: Ken Schaefer: "Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]"
- Next in thread: Super_Geek: "Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
