This is not an "official" endorsement, but I use the McAfee VirusScan
product, and it caught everyone of my virus attachments yesterday without
any patches or updates.
For what it's worth...
-bill
At 11:43 AM 2/13/2001 -0500, Matt Rogghe wrote:
>Just an interesting note here and maybe a request for feedback. I first
>found the virus yesterday after I got back from lunch and had something like
>10-15 e-mails from the users here in my office... all the virus. Four users
>here had opened the attachment before I could stop them. Since I had just,
>minutes before, received those e-mails, I ran to the server and yanked the
>connection between the firewall and the mail server.... deleted all outbound
>e-mails from the exchange server queue (users will at least get a
>non-delivery if it was genuine business).... cleaned off the PC's and then
>re-connected the server. Now, I work in a small office (~25 users) so I can
>do this sort of thing with impunity where some of you guys in bigger
>installations probably can't, but my real question here is: are there any
>good Exchange virus/content scan agents out there? I took a look at a few a
>short while back and again yesterday and was discouraged to note that not a
>single one would identify the Kournikova virus unless you had updated the
>software with a patch released sometime yesterday.... probably a little too
>late. I suppose I could purchase one of these and simply quarantine any
>.vbs/.js/any executable that came through until I looked at it, but I was
>hoping for something a little more automated. Just a pipe dream? Any
>products of note out there you guys have experience with?
>
>Thanks,
>Matt Rogghe
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, February 13, 2001 10:53 AM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Matt Rogghe;
>[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: RE:
>
>
>I only meant that I use debug.
>
> > ----------
> > From: Gibson, Brian
> > Sent: 13 February 2001 15:42
> > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
> > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: RE:
> >
> > Just curious but what exactly is the inherent risk in opening
> > attachments in a text only editor? I often use a text editor to
> > quickly review attachments for malicious intent. If they are binary
> > files then I go with an analyzer but for script attacks why is a text
> > editor a poor choice?
> >
> > If that wasn't your implications I apologize for misreading your
> > statement.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [
> > mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, February 13, 2001 8:31 AM
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
> > [EMAIL PROTECTED]
> > Subject: RE:
> >
> >
> > Que?
> >
> > I was not complaining about the e-mail informing us that is was a
> > 'nasty
> > little script'. I was highlighting the point that a mailing list whose
> >
> > focus is IT Security was used to prolifferate malware.
> >
> > Let me see if I have you straight here. OK its nice to see the A.V.
> > and
> > content analysis tools you have spent much resource on working as
> > intended (Cheers for the the sample guys). But you can't seriously be
> > telling me that the fact that this script was (Apparently/allegedly)
> > sent to every e-mail address in Mr Rollie's Address Book, and that it
> > was forwarded on to all of us is a usefull service?
> >
> > As one security professional to another. Even if it had no effect on
> > any
> > recipient. What would your response be when one of your company's
> > customers calls up to complain about being sent a virus via e-mail
> > from
> > one of your users. Let me see if I can guess....
> >
> > To give you some comfort ( as you are obviosuly concerned for my well
> > being ) Of course I don't trust attachments. I do examine suspicious
> > attachments with something a little more sophisticated than Notepad
> > (or
> > is that vi).
> >
> > My appologies to all on the list. My mail was supposed to address what
> > I
> > considered to be a serious issue. My intention was not to flame the
> > guys
> > who run this list or to start a flame war on the list. However, I fear
> >
> > that may be the result.
> >
> > Liam.
> >
> > > ----------
> > > From: Bill Royds
> > > Sent: 13 February 2001 13:00
> > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> > [EMAIL PROTECTED];
> > > [EMAIL PROTECTED]
> > > Subject: RE:
> > >
> > > Actually that message was very useful to me. It gave me early
> > warning
> > > about the virus by showing that it leaked through our email
> > anti-virus
> > > and the code gave me some strings to scan for on our IDS.
> > > As a security professional, I never execute anything I get in
> > email,
> > > but I do examine it with text only tools to look for problems. Don't
> >
> > > you
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [ mailto:[EMAIL PROTECTED]]On Behalf Of
> > > [EMAIL PROTECTED]
> > > Sent: Tuesday, February 13, 2001 06:03
> > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > > Subject: RE:
> > > Importance: High
> > >
> > >
> > > I have to say that it is a pretty sad state of affairs when a
> > mailing
> > > list that is dedicated to IT security issues falls foul of this type
> >
> > > of
> > > problem.
> > >
> > > Is there any need to allow attachments on this forum?
> > >
> > > I assume that there is some form of content analysis performed on
> > the
> > > traffic through this list.....?
> > >
> > > I would assume that most people on this list have some form of
> > content
> > > analyser implemented on their mail gateway. I would further assume
> > > that
> > > if you were not covered when the first VBS was distributed then you
> > > were
> > > pretty soon afterwards ( weren't you? ). This is the responsible
> > thing
> > > to do. I am sure that the guys who run this list would think so too.
> >
> > >
> > > I know that this list is run (pretty smoothly) as a free service to
> > us
> > > and the relevant T&Cs are in place, but people have been put on RBL
> > > for
> > > less. Is there a cheep and simple method you guys could implement by
> >
> > > which attachments could be prohibited on this list?
> > >
> > > Cheers,Liam.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > ----------
> > > > From: Matt Rogghe
> > > > Sent: 12 February 2001 20:55
> > > > To: 'Gary Rollie'; [EMAIL PROTECTED]
> > > >
> > > > That last post to here was a nasty little replicator script.
> > Looks
> > > > like
> > > > it's just hitting the global address list so far on the exchange
> > > > server.
> > > > -
> > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > "unsubscribe firewalls" in the body of the message.]
> > > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> >
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
