According to the Sybari tech, "Either one should work. *.*.* would be for any double extension or more extensions while the *.*.com would be for double extensions ending in .com." I agree that this is an issue, the *.com file filter gives one a false sense of security that anything ending in .com will be filtered. Sybari's website doesn't suggest using the *.*.extension approach either http://www.sybari.com/alerts/filter.asp?year=2002 . I'm continuing to push the issue w/the Sybari TAM.
-----Original Message----- From: Harmon, Josh [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 6:28 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I was thinking that might be the problem... BUT Would that take care of *.*.*.*.com files? If that's really the issue, this is something that Sybari needs to address from a coding standpoint in my opinion. *.com should kill anything that ends in *.com. Or is it up to me to guess how many 'dot' separators the next virus will use? Josh -----Original Message----- From: Kemppel, Charlean [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 5:13 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I have *.com filtered on the Internet & Real-time engines on my IMC & it slipped in as well; I actually spoke to a support guy @Sybari & he suggested that since the file had multiple "." Antigen saw the extension as .myparty and ignored the rest. Sybari suggested using a filter of *.*.com to capture multiple extension files. -----Original Message----- From: David Weinstein [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 4:57 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I am running Antigen as well - this slipped by my .com filter as well - -----Original Message----- From: Saul [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 2:08 PM To: Exchange Discussions Subject: RE: Alert: W32/Myparty-mm on the loose I am also blocking *.com on our SMTP Scan Job for Antigen but this attachment slipped by. Luckily the user who got suspected something and called us. I have updated the virus engines running on our Antigen but I am curious why the attachment blocking didn't work? Any IDEAS? Saul > This one slipped by our *.com file matching as well... actually it's > been a little hit and miss... some were caught but others were not > stopped until we installed the defnition file--We're running Antigen > with the Norman def. I'm still seeing weird stuff.... some seem to be > getting through he IMC scan and making it to the store and getting > disinfected there. That's the first time I've ever seen that. Very > odd indeed. Most that are being caught are by the virus > definition--because generally we just get the *.com type block > message. Wonder what's going on here. > > Fortunately we run something different on the desktop--and it had > updated through the night. > > Josh Harmon > > > -----Original Message----- > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 8:20 AM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Somehow this one slipped past our .com filter on our linux firewall. > NAV for exchange caught it by the .COM extension, and norton had just > liveupdated us an hour earlier with the new definitions that would > have caught it if it wasn't a blocked extension. I think the syntax > of the attachment code is probably not RFC compliant. > > Tom > > -----Original Message----- > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 9:03 AM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Fortunately we're all blocking *.com right? The *.com viruses are > going to take forever to combat from a social engineering standpoint. > It's probably worth investing some time in user education on .com > files because I think this is going to be a new favorite virus writing > style for the next few months. > > Chris Scharff > The Mail Resource Center > http://www.mail-resources.com > > -----Original Message----- > From: Martin Blackstone > To: Exchange Discussions > Sent: 1/28/2002 7:57 AM > Subject: FW: Alert: W32/Myparty-mm on the loose > > > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 5:45 AM > To: [EMAIL PROTECTED] > Subject: Alert: W32/Myparty-mm on the loose > > > Be aware that this morning you will likely find a copy of this new > mass mailer in your mail systems. This is a pure social engineering > attack, it contains an attachment named as a URL with a .com > extension. Since .com is also an application, it will be run as such > if its double-clicked on. Check with your AV company for updates > and/or filtering criteria. If you can, be sure you have attachment > filtering enabled at your mail gateway. Outlook Email Security Update, > and Outlook 2002, both catch this attachment and prevent it from being > available for the user to click on. > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
