We instituted the same policy yesterday. We started diverting all office format documents as well as .txt files (we had seven instances of [EMAIL PROTECTED] make it all the way to the mail server, where the AV picked it, because the attachment was disguised as a .txt file.) for testing. We told the users it may delay the delivery of an e-mail up to an hour...no complaints, and we have the backing of the computer security person, the CIO and the president of the company.
-----Original Message----- From: Michael Henry [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 1:54 PM To: Exchange Discussions Subject: The New MS Word / VBA vulnerability in Attachments After reading the announcement concerning the vulnerability in MS Word / VBA, began to think proactively about the impact. I started filtering .doc and checking them myself before forwarding them on. And sent out a notice to that affect. I do about 20 or so of these daily. Well, I was reluctantly supported by my manager. And now I am getting negative feedback because of the impact it's having. No 'real' complaints about delayed delivery. The social engineering is practically perfect on this. The virus on first pass, simply looks up every e-mail with a .doc. Infects it and re-sends it with "UPDATED" added to the subject line. Then e-mails others with "I forgot to send this." So the sender is known by the recipient on this one. Please let me ask you, especially if the VBA is polymorphic/self modifying, what are the chances, that if it got through the AV on your server, that your user would open this e-mail? As time goes by, the caliber and sophistication of viruses are getting better and not worst. Now, I hope that the payload does not turn bad on this one. Like the virus detects that it has sent to everyone that it could, then starts deleting files. Until the first virus hits and it's variants, Am I being cautious? Therefore, should keep the filter on. Or Am I over reacting? An need to turn off the filter. Your opinion is requested. Regards, Michael Henry The one responsible either way it goes. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]