[Mimedefang] NAI uvscan DAT-update

Mark Roedel MarkRoedel at letu.edu
Tue Jan 29 10:35:09 EST 2002


> -----Original Message-----
> From: Karel.DeBruyne [mailto:dbruyne at uia.ua.ac.be] 
> Sent: Tuesday, January 29, 2002 7:36 AM
> To: mimedefang at lists.roaringpenguin.com
> Subject: RE: [Mimedefang] NAI uvscan DAT-update
> 
> 
>> You should be blocking .com attachments.  A few of my 
>> clients' setups have already blocked this virus without
>> using any virus scanners.
> 
> Yes, I know this is your idea of security :-)
> 
> I am doing this with vbs, shs, vxd and pif but bat, com and 
> exe are too often used (you know these stupid jokes sent
> around), and I'd get a lot of angry phone calls...
> 
> My users are scientists, very sensitive about their "academic
> freedom" which means they think they're clever enough to decide
> for themselves what to do with such an attachement but they're
> not clever enough to solve their virus problems %$%#&@#!!!

Academic folk are fun, aren't they?

Here's how we've handled that situation here:

Our filter is based on the list published by Microsoft of file
extensions that can potentially execute malicious code.  This list is
published as part of the Outlook Security Update documentation at
http://office.microsoft.com/Assistance/2000/Out2ksecFAQ.aspx

The message that's sent when an attachment is quarantined lets both the
recipient and the sender know that the attachment was removed and tells
them that if they really need the file to go through, their options
include renaming the file, packaging it with, for example, WinZip, or
posting it on a website somewhere and just sending the URL.  This gives
us a couple of things that have proven helpful in an academic
environment:

(1) We cite an outside, credible source as our reason for blocking, and
(2) We give them a method for getting their dancing pigs, elf bowling,
etc. if they feel they really need it.

(I don't generally publicize this, but I also keep quarantined files
around for a week or so before deleting them, so if a particular file
became an issue for some reason I'd be able to retrieve it and forward
it along myself.)

We've had a couple of gripes since we started running MIMEDefang, but
I'm lucky enough to have the sort of boss who's glad to remind people
how many man-hours were tied up eradicating the last "ILoveYou" outbreak
on campus, and to point out again that there are in fact alternate ways
of getting the file in question.  

(It's also a lot of fun, and an occasional source of some good campus
PR, to review quarantine messages and count the copies of a new virus
that had already been blocked by the time NAI or Symantec got around to
publishing their updated definition files...)


---
Mark Roedel           | "I can't give you a brain...
Systems Programmer    |  but I can give you a diploma."
LeTourneau University |
Longview, Texas  USA  |          -- The Wizard of Oz



More information about the MIMEDefang mailing list