Well, thank you very much, Martin. I'll look into implementing your suggestions ASAP.
Paul Chinnery Network Administrator Mem Med Ctr -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 10:58 AM To: Exchange Discussions Subject: RE: Infect file slips thru Trend Antivirus There you go. You cannot depend on MAPI scanning. ANY Exch aware AV will let files slip under load when doing MAPI only. You need to turn on the AVAPI or ESE based scanning (depending on your version). You also need to block more file types. Also, do both AVAPI and MAPI, also let it scan the message body. I will now provide you with the famous Martin Blackstone Blocked Files List. You will use this list going forward (This list should be in the FAQ) Basics vbs;shs;js;com;bat;cmd;pif;scr;chm;VB Full List VB;ASX;ADE;ADP;BAS;BAT;BIN;CHM;CMD;COM;CPL;CRT;DLL;EXE;HIV;HLP;HTA;INF;I NS;ISP;JS;JSE;JTD;MSC;MSI;MSP;MST;OCX;OFT;OVL;PCD;PIF;PL;PLX;SCR;SCT;SH; SHB;SHS;SYS;VBE;VBS;VSS;VST;VXD;WSC;WSF;WSH; -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chinnery Paul Sent: Monday, October 22, 2001 7:53 AM To: Exchange Discussions Subject: RE: Infect file slips thru Trend Antivirus MAPI, 5.5 sp4, exe vbs cmd bat Server load - you may be right. It's on a Pro 200 dual with 500 meg RAM and it handles around 150 mailboxes and public folders. Paul Chinnery Network Administrator Mem Med Ctr -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 10:38 AM To: Exchange Discussions Subject: RE: Infect file slips thru Trend Antivirus How are you doing the scan? MAPI, AVAPI, or ESE. This sounds like MAPI. When doing MAPI scans, the scanner can become overloaded and pass virii. Also, what version of Trend, what Exch SP, and what file types are you blocking -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chinnery Paul Sent: Monday, October 22, 2001 7:27 AM To: Exchange Discussions Subject: Infect file slips thru Trend Antivirus Today, we had a virus outbreak with the "homepage" virus (released in the wild 5/9). We use TrendMicro's AV on our Exchange server (5.5) along with the desktop version. >From the infected computer, I received 9 emails of the virus. With the first 4 emails, Trend caught and stripped the attachment. However, the subsequent 5 emails had the attachment with them. (And, btw, I also have it set up to block exe, vbs, bat and cmd files.) Even more, when two more computers got infected opening the attachment from the original pc, Trend didn't catch those subsequent emails at all. I understand, of course, Ed's rule of thumb about technological solutions but I'm mostly just curious (and concerned to a degree) why our AV didn't protect us that much. I've contacted Trend support and asked them why this happened but I'm simply throwing it out here for comment. I just find it rather perplexing that Trend only catches half of them. Paul Chinnery Network Administrator Mem Med Ctr _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
