Life in Windowsland
by Volker Weber
Christopher Harvey describes the latest virus outbreak at his company:
Well, one user in our company was infected with Mydoom.f just 8 hours prior to the newer dats being released that would have saved us. Anyway, this viscous little bugger ripped through our file server and deleted thousands of .XLS and .DOC files.
Initially we weren't sure how widespread the outbreak was and had everyone shutdown. After scanning the home drives on the File Server we found only the one user's drive was affected. Then we started the arduous process of requesting the off-site tape and restoring files while our anti-virus guru spent hours on the phone with McAfee. Apparently we were one of the first companies hit and our guy was a primo source of info on the virus for McAfee.
Well, here we are one day later, and we are now blocking all ZIP files in addition to the 20 executable extensions we have blocked for months.
How much stuff can you block before mail gets useless?
Comments
The real question is : How many virures, trojan horses, security flaws and attacks can you bare (and afford) before Windows gets useless.
Hmmm, what mail system were they using?
Wrong question, Alan.
If I recall corectly there was a rant on Chris Linfoot's site anticipating the problem: http://chris-linfoot.net/plinks/CWLT-67PDZU If the virus filters would not only rely on the patterns that might have been avoidable.
:-) stw
when virus attacks started to spread out via mail systems - it first was a typical layer 8 problem - of users who unknowingly opened, executed - or what ever - file attachment.
some time later users got teached that opening attachments from unknown sources is a no go. and some of them really realized that they can activly avoid viruses with that recommendation.
now viruses either exploit security holes in badly patched systems or abuse security holes for which no patches exist, or viruses use sender addresses of people that are - well - not "unknown sources", since they actually were in contact with those senders.
every day i see companies that simply rely on centralized virus filtering, using server based solutions - telling them that they should get client side filtering aswell makes them telling me that this would be unaffordable - but still they give their employees notebooks that they can drag home, get infected and create epidemic virus threats back in the corporate.
so actually we now have three possible causes, and i have no clue how they are spread towards the 100% cause - so i will list them in no particular order.
- unsecure setup of workstations/servers:
this is caused by either ignorant users, system adminstration or even management.
- unsecure systems per se:
ignorant behaviour of software manufacturers that leave wide known security holes open for months and then finally fix it with a "non critical" patch.
- unaware user behaviour
users sometimes dont even care about what they do, they click on every attachment and execute that. the PEBCAK (problem exists between chair and keyboard) user even clicks on every security warning issued by their webbrowser and install unsigned and untrusted applets, controls and every single advert banner.
kiling one cause might reduce infections alot but still there are two more cuases left. and i've seen domino companies who got users that ruined the day by a "launch" click of an attachment.
... and I know it´s worth it, being hectored about bringing my own, self-administered PowerBook into my company, where everybody else fights with these issues once in a while, except for me...
... and yes, we do use Notes/Domino as group collaboration tool.
Good points all.
As for blocking zips, I was on a client site that instituted something similar about a year ago. They "held" zips for 24 hours before final delivery into mailboxes (rescanning them first of course). They must have determined the threat eased as they dropped the practice after a couple months. Thankfully.
Just curious...anyone else notice the date on the linked article? Looks like it's from last year.
yep - it's from 0x7D4 but the topic is nonetheless still uptodate ;)
How much stuff can you block before mail gets useless?
Hmmm... your assertion does not compute... since when is email a file transfer protocol?
Yes, you can use MS Word to write a so called email. And transfer the resulting application/msword monstruosity as a MIME attachment. This doesn't mean that you should.
Ditto for file transfer.
