On Tue, 13 Feb 2001, Matt Rogghe wrote:
> non-delivery if it was genuine business).... cleaned off the PC's and then
> re-connected the server. Now, I work in a small office (~25 users) so I can
> do this sort of thing with impunity where some of you guys in bigger
> installations probably can't, but my real question here is: are there any
> good Exchange virus/content scan agents out there? I took a look at a few a
> short while back and again yesterday and was discouraged to note that not a
> single one would identify the Kournikova virus unless you had updated the
> software with a patch released sometime yesterday.... probably a little too
I'm not sure about the gateway product breakdown (I didn't think to ask
specifically about gateway products,) but only 50% of scanners in total
caught it by 11am EST yesterday, and some of the differences weren't the
same as the set that missed the last loveletter varient.
> late. I suppose I could purchase one of these and simply quarantine any
> .vbs/.js/any executable that came through until I looked at it, but I was
> hoping for something a little more automated. Just a pipe dream? Any
> products of note out there you guys have experience with?
Generally it's a pipedream. Even with automatic updates, the current fast
mailers are propogating more quickly than updates are available for all
cases. You do decrease your likelyhood, but depending on where the
infection starts to get traction and what timezone you're in is more of an
issue than if you've updated the scanner in the last 24 hours.
In this specific case, a lot of users were *lucky* that the author used a
toolkit which had enough of a signature that some vendors could catch the
kit even without a sample. Depending on luck seems to me to be
self-defeating.
The list of executable filetypes for Win* is _really_really_ long, but
it's best to quarantine those you don't need. That's 100% effective
against viruses that use the particular vector. Anyone who's allowing
.VBS over the Internet as a matter of business probably needs to do
another risk assessment.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
