Reason I said that Jim is that this all happens at the point an identically named file is received as an attachment thru our Exch server to his Outlook client
As far as I'm aware the machine is fully up to date, both the virus definitions on the exchange server and the desktop AV software, and the updates to both Windows and IE6 as reported by windowsupdate.microsoft.com Is the fauly likely to be with scanmail failing to notice the virus attachment, or a problem with the client -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: 21 May 2002 15:43 To: Exchange Discussions Subject: RE: Klez in attached html "...Officescan flags up that there is a file in the users temp internet folder with Klez... Why wouldn't scanmail be stopping this file? I havent in the past considered that we should be blocking htm and html, but should we?" Stop and read what you just wrote Niki. Why isn't adding *.htm and *.html going to change a thing, if you add it to your e-mail scanning program? I'll tell you why...because the "attempted" infection is not coming through the e-mail system. Someone is connecting to the Internet and either getting this from an infected web site, or they are reading their private e-mail through a web browser. When this happens, the virus scanner on the desktop catches the .exe file that is masquerading as an .html file and holds it in the Temporary Internet Files folder, before it can execute. Depending on how you have your desktop AV configured, it will either quarantine the file after the person is through visiting that page, or it will delete it entirely. If you want to stop this kind of behaviour, you need to institute an AV Gateway for all your web traffic, as well as your e-mail traffic. We use NAV CE on all the servers and workstations, with the exception of the Exchange servers, where we use NAV MSE. We have Qmail on our Mail Relay server connected to the Internet. This does the initial subject type and attachment type scanning. We also use NAV AV Gateway software to scan web traffic. Jim Blunt -----Original Message----- From: Niki Blowfield [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 1:35 AM To: Exchange Discussions Subject: Klez in attached html I appreciate this is probably down to my misunderstanding of this virus, but we have one user who is being sent an html file As soon as the email is clicked on, the attachment is attempted to be opened by Outlook. Then Officescan flags up that there is a file in the users temp internet folder with Klez, and it is the same filename as the html attachment, but the html has changed to exe For instance, today he has an email with revisions1.html attached. When he selects the email, it attempts to open the attachment, and Officescan quarantines the file revisions1.exe from the temp internet folder. I thought that Klez attachments had double extensions, like revisions1.html.exe Why wouldn't scanmail be stopping this file? I havent in the past considered that we should be blocking htm and html, but should we? I've checked this PC with Officescan and Symantecs tool, and it shows no traces of Klez Thanks Nik _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
