We mostly rely on our appliance (IronPort) to catch them, but we do have a special rule that quarantines any password-protected ZIP files (because the appliance can't inspect those).
From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, April 09, 2013 10:51 AM To: NT System Admin Issues Subject: .ZIP file e-mail attachments Do any of you guys still allow this? I ask because at %formerjob% they were blocked, but %dayjob% allows them, and last week and today we've received infected .ZIP files. Last week was another autorun outbreak, today we caught it before anyone actually ran it. We keep getting latest and greatest variants "First seen by VirusTotal 2013-04-09 09:51:15 UTC (4 hours, 58 minutes ago)". Grr... David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin