Hi Ken:
Yes, the behavior you are describing is how OutBreak Manager is designed.
If your specified threshold is exceeded, then GroupShield will temporarily
apply your desired rule(s) until the threat seems to be contained. Then,
after executing your desired rules (notifying, downloading a latest DAT,
etc.), and the number of messages has dropped off, then OBM will release the
rule so that future mails can be delivered properly. This is because if you
want to allow DOC attachments, but there was an outbreak, you would only
want to temporarily block that file type until protection was updated. If
it is a specific file name that is causing the problem (such as
BADFILE.DOC), then the administrator can add that to the list of files to
block.
If you would like to discuss this further, then please contact me.
Regards.
Robert Grupe, PE
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Friday, 07 December, 2001 16:35
To: Exchange Discussions
Subject: RE: Exchange / McAfee / ePolicy Orchestrator
Question
Robert,
I have found Outbreak Manager to be flaky at best. Maybe I
am not
configuring it correctly. I have it set to trigger on 30
identical
attachments detected within 5 minutes. It is to react
automatically by
blocking email with specific attachment name and then
escalate to update
DAT. The problem that I have is that it seems to start
blocking the
attachments for awhile. Then it will "unwind" the rule and
release them and
start letting them through again.
I want it to stop them all and let me decide to start
letting them in again.
There seems to be no rhyme or reason to the way that it
works.
Ken Powell
Systems Administrator
Clark County Office of Budget and Information Services
(OBIS)
Vancouver, Washington
[EMAIL PROTECTED]
Voice: (360) 397-6121 x4658
Fax: (360) 759-6001
-----Original Message-----
From: Grupe, Robert [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 07, 2001 3:59 AM
To: Powell, Ken
Subject: RE: Exchange / McAfee / ePolicy Orchestrator
Question
See responses below...
Robert Grupe, PE
[EMAIL PROTECTED]
-----Original Message-----
From: Fred W. Macondray Jr.
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 05 December, 2001 18:45
To: Exchange Discussions
Subject: Exchange / McAfee / ePolicy
Orchestrator
Question
Hi All,
Sorry this is slightly off topic, but NAI is
obviously
swamped by Goner
and I just hung up after 30 minutes on hold
as I have much
to do around
here.
Questions:
1) How can I distribute the Extra.DAT files
from McAfee
that cover the
Goner virus to NetShield and groupshield
with ePO?
Currently the released versions of GroupShield for Exchange
only have
reporting capabilities with ePO, but configuration & policy
support will be
included in the next releases.
2) Is necessary to distribute the EXTRA.DAT
file with or do
the DAT
files with the same date contain the
signature of Goner too?
As answered on the list, the 4174 dats contained the
signature and can be
rollout via Superdat (this will update all McAfee products
running on the
machine) or through the AutoUpdate within the products.
3) Outbreak manager... what's the typical
configuration?
What do you
use (assuming you use GroupShield).
There is no typical configuration since the creation of
rules depend on the
throughput of the server, number of users etc. For example
a rule would be
x number of identical attachments in y time - x needs to be
large enough
that a innocent file sent to a number of users does not
trigger but Goner
would with y being short enough to be effective.
Thanks in Advance,
Fred
Fred Macondray
Systems Administrator
Virtual Purchase Card, Inc.
mailto:[EMAIL PROTECTED]
http://www.virtualpurchasecard.com
- "Guaranteed B2B Purchases"
_________________________________________________________________
List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
Archives:
http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
Archives:
http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
