just spoke with them on this. Was informed that they're currently analyzing the issue in QA and with the scan engine vendors. I'd check back with them in the next day or so on next steps.
byron markettools -----Original Message----- From: Harmon, Josh [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 3:28 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I was thinking that might be the problem... BUT Would that take care of *.*.*.*.com files? If that's really the issue, this is something that Sybari needs to address from a coding standpoint in my opinion. *.com should kill anything that ends in *.com. Or is it up to me to guess how many 'dot' separators the next virus will use? Josh -----Original Message----- From: Kemppel, Charlean [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 5:13 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I have *.com filtered on the Internet & Real-time engines on my IMC & it slipped in as well; I actually spoke to a support guy @Sybari & he suggested that since the file had multiple "." Antigen saw the extension as .myparty and ignored the rest. Sybari suggested using a filter of *.*.com to capture multiple extension files. -----Original Message----- From: David Weinstein [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 4:57 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I am running Antigen as well - this slipped by my .com filter as well - -----Original Message----- From: Saul [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 2:08 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I am also blocking *.com on our SMTP Scan Job for Antigen but this attachment slipped by. Luckily the user who got suspected something and called us. I have updated the virus engines running on our Antigen but I am curious why the attachment blocking didn't work? Any IDEAS? Saul > This one slipped by our *.com file matching as well... actually it's > been a little hit and miss... some were caught but others were not > stopped until we installed the defnition file--We're running Antigen > with the Norman def. I'm still seeing weird stuff.... some seem to be > getting through he IMC scan and making it to the store and getting > disinfected there. That's the first time I've ever seen that. Very > odd indeed. Most that are being caught are by the virus > definition--because generally we just get the *.com type block > message. Wonder what's going on here. > > Fortunately we run something different on the desktop--and it had > updated through the night. > > Josh Harmon > > > -----Original Message----- > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 8:20 AM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Somehow this one slipped past our .com filter on our linux firewall. > NAV for exchange caught it by the .COM extension, and norton had just > liveupdated us an hour earlier with the new definitions that would > have caught it if it wasn't a blocked extension. I think the syntax > of the attachment code is probably not RFC compliant. > > Tom > > -----Original Message----- > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 9:03 AM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Fortunately we're all blocking *.com right? The *.com viruses are > going to take forever to combat from a social engineering standpoint. > It's probably worth investing some time in user education on .com > files because I think this is going to be a new favorite virus writing > style for the next few months. > > Chris Scharff > The Mail Resource Center > http://www.mail-resources.com > > -----Original Message----- > From: Martin Blackstone > To: Exchange Discussions > Sent: 1/28/2002 7:57 AM > Subject: FW: Alert: W32/Myparty-mm on the loose > > > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 5:45 AM > To: [EMAIL PROTECTED] > Subject: Alert: W32/Myparty-mm on the loose > > > Be aware that this morning you will likely find a copy of this new > mass mailer in your mail systems. This is a pure social engineering > attack, it contains an attachment named as a URL with a .com > extension. Since .com is also an application, it will be run as such > if its double-clicked on. Check with your AV company for updates > and/or filtering criteria. If you can, be sure you have attachment > filtering enabled at your mail gateway. Outlook Email Security Update, > and Outlook 2002, both catch this attachment and prevent it from being > available for the user to click on. > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
