Forwarded from: Wall David Civ AETC/DOXD <David.Wall@RANDOLPH.AF.MIL> OK, Guess I wasn't clear. We run Norton, and get automatic updates every 24 hours, occasionally changing to every 12 hours. Everything is automatic on our network (UNIX servers and NT workstations). No user can open any file, e-mail or attachment unless the antivirus checks it first. This isn't on the firewall, it's on the network. I know it's impossible to catch every virus if it is radically new, but we very, VERY seldom get a successful penetration. For example, we took over 600,000 hits with I love you, and none got through. Lesser, obviously, numbers with code red, Klez, and others. Again, none got through. The virus was deleted and the e-mail then had an attachment that wasn't there. I'm no great fan of Outlook, but I don't see that it deserved the comments by that university. For those who disagree, that's fine. Now, if you'll pardon my absence - i.e., no more responses for a couple weeks - I'm off to get married. I don't expect to even hear the words virus, Norton, Outlook, infosecNews, etc., for a while. Happy computing Dave Wall -----Original Message----- From: Stanislav N. Vardomskiy [mailto:stany@NotBSD.org] Sent: Friday, May 24, 2002 10:52 AM To: InfoSec News Cc: firstname.lastname@example.org; David.Wall@randolph.af.mil Subject: RE: [ISN] MS Outlook booted off campus On Fri, 24 May 2002, InfoSec News wrote: > Forwarded from: Wall David Civ AETC/DOXD <David.Wall@RANDOLPH.AF.MIL> > > Is it just me, or is somebody burying their heads in the sand? > Whatever happened to maintaining the latest antiviral signature files > so you don't get hit in the first place? > > Am I missing something here????? You are missing the human factor. There are really two ways of dealing with desktop users: First one is a Nortel approach, where noone outside the helpdesk had root/administrator access, and in order to get done something as trivial as time synchronised on between the license server and the workstation (so that FlexLM would actually check out the license), one had to call helpdesk. This approach works really well if you have huge budget for IT and infinitely patient users - IT/helpdesk has to be up to speed and be able to resolve problems FAST, and users get really really upset after having to call the "helldesk" for the third time with the same problem (And of course every problem is mission critical, be it e-mail outage or shortage of Modelsim licenses). At the moment I am babysitting about 20 users in a remote office. My policies are fairely lax - all I care about is engineering being productive, so as long as they can read their e-mail, access their fileservers, and run their Verilog, I do not strictly enforce how they use their systems, with a believe that users themselves know best what it is that they want and how they want their systems configured in order to be most productive (The fact that most of my Windows users still use Windows 98 with no concept of local security makes it a folly to even try to prevent them from changing background pictures, mouse pointers, etc). Users are all informed that if I can not solve their problem, I will re-image their system to a sane configuration. This approach, while definitely easier on users does not permit totalitarian control over what gets executed on the desktop, and allowes users to toggle settings of their anti-viral software. I have to point out that my approach so far worked out, and not only are users productive, but there is no fear and loathing of IT department at my site, and users do bring potential problems to my attention. At my site engineers are the ones that bring in revenue, and I get paid out of the money they generate. In my mind it's a direct relationship - if they are not productive, then I do not get paid :-) Playing a Computer Cop would get me nothing besides pink slip. Lastly, the default settings with Symantec Norton Anti-Virus corporate edition that the head office here maintains calls for downloading the latest signature file once a week. Unfortunately, with the latest batch of virii, that spread like wildfire, a week is nowhere near fast enough, and, truth to be told, even fetching an updated signature once a day can be not fast enough (figure in a delay in vendor releasing a signature, pushing it out to the corporate signature server, and client fetching it from the corporate server). So to address your inital question: I can totally relate to the problems of Cambridge college's systems administrators. If it's anywhere like the academentia I know and love, they are probably underpaid and understaffed and have no manpower to upkeep desktops of 700 users, and most likely have no political power in the colledge either. As a result, while most likely they do maintain an anti-virus server/software, they have no way of making sure that every user is up to date and uses it. In a situation like this not using Windows, or at least not using components of Windows that were designed  to spread virii is a major workload reduction. > Dave Wall Signed: //Stany  http://www.microsoft.com/mac/products/office/2001/office_main.asp?embfname=virus_alert.asp Will the virus impact my Macintosh if I am using a non-Microsoft e-mail program, such as Eudora? If you are using an Macintosh e-mail program that is not from Microsoft, we recommend checking with that particular company. But most likely other e-mail programs like Eudora are not designed to enable virus replication. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^ -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +-+ 10570 + My words are my own. LARTs are provided free of charge + 10533 +-+ - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 05:13:34 PDT