We've been using Trend Micro (http://www.antivirus.com) ScanMail for Exchange with no problem for almost 2 years. We automaticaly update the virus pattern and have had no problem with the latest viruses, including the one you mention. We've configured the real time scanner to delete automaticaly the infected attachments, and so it did with this Kournikova virus..... -----Mensaje original----- De: Matt Rogghe [mailto:[EMAIL PROTECTED]] Enviado el: Tuesday, February 13, 2001 11:44 AM Para: '[EMAIL PROTECTED]' Asunto: RE: Just an interesting note here and maybe a request for feedback. I first found the virus yesterday after I got back from lunch and had something like 10-15 e-mails from the users here in my office... all the virus. Four users here had opened the attachment before I could stop them. Since I had just, minutes before, received those e-mails, I ran to the server and yanked the connection between the firewall and the mail server.... deleted all outbound e-mails from the exchange server queue (users will at least get a non-delivery if it was genuine business).... cleaned off the PC's and then re-connected the server. Now, I work in a small office (~25 users) so I can do this sort of thing with impunity where some of you guys in bigger installations probably can't, but my real question here is: are there any good Exchange virus/content scan agents out there? I took a look at a few a short while back and again yesterday and was discouraged to note that not a single one would identify the Kournikova virus unless you had updated the software with a patch released sometime yesterday.... probably a little too late. I suppose I could purchase one of these and simply quarantine any .vbs/.js/any executable that came through until I looked at it, but I was hoping for something a little more automated. Just a pipe dream? Any products of note out there you guys have experience with? Thanks, Matt Rogghe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 13, 2001 10:53 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Matt Rogghe; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: I only meant that I use debug. > ---------- > From: Gibson, Brian > Sent: 13 February 2001 15:42 > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: > > Just curious but what exactly is the inherent risk in opening > attachments in a text only editor? I often use a text editor to > quickly review attachments for malicious intent. If they are binary > files then I go with an analyzer but for script attacks why is a text > editor a poor choice? > > If that wasn't your implications I apologize for misreading your > statement. > > -----Original Message----- > From: [EMAIL PROTECTED] [ > mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 13, 2001 8:31 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: > > > Que? > > I was not complaining about the e-mail informing us that is was a > 'nasty > little script'. I was highlighting the point that a mailing list whose > > focus is IT Security was used to prolifferate malware. > > Let me see if I have you straight here. OK its nice to see the A.V. > and > content analysis tools you have spent much resource on working as > intended (Cheers for the the sample guys). But you can't seriously be > telling me that the fact that this script was (Apparently/allegedly) > sent to every e-mail address in Mr Rollie's Address Book, and that it > was forwarded on to all of us is a usefull service? > > As one security professional to another. Even if it had no effect on > any > recipient. What would your response be when one of your company's > customers calls up to complain about being sent a virus via e-mail > from > one of your users. Let me see if I can guess.... > > To give you some comfort ( as you are obviosuly concerned for my well > being ) Of course I don't trust attachments. I do examine suspicious > attachments with something a little more sophisticated than Notepad > (or > is that vi). > > My appologies to all on the list. My mail was supposed to address what > I > considered to be a serious issue. My intention was not to flame the > guys > who run this list or to start a flame war on the list. However, I fear > > that may be the result. > > Liam. > > > ---------- > > From: Bill Royds > > Sent: 13 February 2001 13:00 > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; > > [EMAIL PROTECTED] > > Subject: RE: > > > > Actually that message was very useful to me. It gave me early > warning > > about the virus by showing that it leaked through our email > anti-virus > > and the code gave me some strings to scan for on our IDS. > > As a security professional, I never execute anything I get in > email, > > but I do examine it with text only tools to look for problems. Don't > > > you > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [ mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, February 13, 2001 06:03 > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: RE: > > Importance: High > > > > > > I have to say that it is a pretty sad state of affairs when a > mailing > > list that is dedicated to IT security issues falls foul of this type > > > of > > problem. > > > > Is there any need to allow attachments on this forum? > > > > I assume that there is some form of content analysis performed on > the > > traffic through this list.....? > > > > I would assume that most people on this list have some form of > content > > analyser implemented on their mail gateway. I would further assume > > that > > if you were not covered when the first VBS was distributed then you > > were > > pretty soon afterwards ( weren't you? ). This is the responsible > thing > > to do. I am sure that the guys who run this list would think so too. > > > > > I know that this list is run (pretty smoothly) as a free service to > us > > and the relevant T&Cs are in place, but people have been put on RBL > > for > > less. Is there a cheep and simple method you guys could implement by > > > which attachments could be prohibited on this list? > > > > Cheers,Liam. > > > > > > > > > > > > > > > > > > > > > ---------- > > > From: Matt Rogghe > > > Sent: 12 February 2001 20:55 > > > To: 'Gary Rollie'; [EMAIL PROTECTED] > > > > > > That last post to here was a nasty little replicator script. > Looks > > > like > > > it's just hitting the global address list so far on the exchange > > > server. > > > - > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > > "unsubscribe firewalls" in the body of the message.] > > > > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
