On Tue, 13 Feb 2001, Noonan, Wesley wrote:
> Here is where I think it is overkill. Security isn't everything, and it sure
> isn't the only thing. Someone once told me "security that hampers work is
> not security". That is such a true statement. Security like that is just as
> bad as the "malicious code" it serves to stop. They take different methods,
> but the end result is the same - lost time and money.
*All* security hampers work. The lock on my door hampers work since i
have to waste 5 seconds opening it. Same as a car alarm. Do i lose more
time/money by taking 5 seconds to unlock the car everyday, or should i
just leave it open all the time?? Users don't know (computer) security,
but they definitely need it. It's up to us to figure out how much...
> Rather than blocking all .vbs extensions, one could block only those that
> their DAT files recognize. That allows the .vbs extensions a company may
> need to receive to work just fine. I'll give you an example. This very email
> I am writing will be blocked by no less than 10 people on this list. Why?
> Not because it contains a virus (it doesn't) but because it contains a key
> word. And as a result, no less than 10 people will gain no worthwhile
> information from our exchange (not that they would anyway, but you get my
> point ;-)). This is little better than blocking "all .vbs files". It
> prevents the exchange of information.
I completely disagree that this is "better" than blocking all .vbs. If
you're blocking this key word, how do you get CERT advisories?? How do
you get advisories from your vendor?? How do you get that message from
your mom when she asks if you got hit with the new virus!
> Does the above protect against everything? No, you have the possibility that
> a "new" virus slips in before your DAT's are updated, but one must ask
> themselves "is the risk worth it, now that I have mitigated it in this
> manner". The answer varies from case to case.
99% of the time the virus will hit before your DAT's are updated, unless
you're updating every machine every 5 minutes. The virus isn't "new"
until it hits, and a worm of this nature can spread throughout the world
in a few short hours.
> Let me ask you this. Does anyone know of an email scanning product that
> blocks "all .exe and .com extensions" by default and design? Of course not
> (or at least I don't know of one - not by default at least), since people
> need to be able to pass executables as part of their day to day business.
> The same holds true for .vbs. The shops that have lot's of W2K and are
> managing the hell out of it are doing so with scripting.
I'll say again that a .vbs attachement is completely useless. There's no
valid reason for it. And if you're "managing the hell out of" your W2k
shop by emailing vbs scripts to yourself then running them in outlook,
then i'd say you have much bigger problems than this little virus thing.
> An even better solution to the .vbs issue that I have seen is the newest
> outlook patches which only allow you to save files with that extension (no
> running of the code from the email client). Now that's a good balance of
> protection and function IMHO. Another solution (though with secure email it
> is tough, if not impossible, to do) is to change the extension to something
> like .txt when it passes through the gateway. Yet another one is to change
> the default execution method for .vbs to be "notepad.exe". Then one can
> either uses cscript to manually run any .vbs that they need to, or pick an
> extension (i.e. .wes) and associate .wes with wscript. Now anything that
> comes in as .vbs is harmless, and you can still push and run scripts
> internally by using the .wes extension.
Great... if only i could find that automagic update every machine on the
network script.
> It's all about mitigating the risk while providing solutions that allow the
> users to work. No one said that it would be easy :)
Until then, i'll just block ALL vbs scripts, and js, vbe, pif, reg, scr,
and anything else that looks dangerous, since those files are much much
more risky than they are useful when sent as a mail attachement. I would
hope a lot of people agree.
later!
Ray
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean http://www.r-a-y.org
Systems Administrator Southeastern Louisiana University
IBM Certified Specialist AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
