This is a difficult and potentially expensive issue to deal with. Here is an approach that has kept some virtually virus free since the I love you virus It involves creating multiple logical and physical layers between the network client and the internet, and persupposes that the security manager has some control over how the network is configured. Layer one: Firewall a. Implement Virus scanner at the firewall. (You will not be able to scan HTTP traffic without crippling your clients web access so you are looking at smtp traffic) b. Block all executable file formats via e-mail. Exceptions are simple compressed files that actually require a client to extract first before execution. This allows clients to pass executables where needed. Another option is to provide a FTP drop site for file transfer. c. Virus scanning on the e-mail servers themselves. This does slow the servers a bit, but the client doesn't know that. d. Using the right virus scanning tools on both the firewall and e-mail systems you can create key word or phrase lists to block. This can include data from the subject line of the document body. As stated before in this chain, this can be a royal pain to maintain, and must be re-visited from time to time and cleaned out. e. Virus scanning at the desktop system. Use one of the tools that can be centrally managed and updated. Don't allow clients to go directly to Macafee of Symantec for updates. Sometimes the updates cause problems too. You need to test them before implementing them on the desk top. f. Have a virus response process and team in place and let everyone know how it works. When a virus is suspected, a virus response tech should be contacted to assist in the triag and clean up if necessary. g. Education of clients is key. They must understand clearly that they must be suspicious of all attached files. Never open one without scanning it first. You might even have them pass the files (even the whole e-mail with attachment intact) to the security staff to check out. That way you get the e-mail, headers, attachment etc in one packet. h. Policy - You have to have a policy regarding the use of e-mail and internet that covers clients causing system infections etc. Some folks use different virus tools at each layer of the process. This gives you a better chance of having a valid signature in one of them if the virus is new. As I said, this can be expensive. Virus products are not cheap for a corporate environment and this all requires bodies to manage. It also requires that you have management backing to enforce the requirements. Good fortune to you K.D. -----Original Message----- From: Mark Wills [mailto:mark@private] Sent: Wednesday, May 22, 2002 9:46 AM To: steven@private; Owner-Crime Subject: RE: CRIME Virus list Filtering by subject line is similar to using a screen door to block a flood. If you can't put in a real virus scan at the mail server level, Building a list of executable file name extensions might be an alternative. The subject lines list is much too dynamic. Here is a list of potential "dangerous cargo" to consider, I found on http://www.slipstick.com/outlook/esecup.htm: File extension File type .ade Microsoft Access project extension .adp Microsoft Access project .asx Windows Media Audio or Video shortcut (blocked only in Outlook 2002 builds earlier than 10.0.3005.x) .bas Visual Basic class module .bat Batch file .chm Compiled HTML Help file .cmd Windows NT Command script .com MS-DOS program .cpl Control Panel extension .crt Security certificate .exe Program .hlp Help file .hta HTML program .inf Setup Information .ins Internet Naming Service .isp Internet Communication settings .js JScript Script file .jse Jscript Encoded Script file .lnk Shortcut .mda Microsoft Access add-in program (blocked only in Outlook 2002) .mdb Microsoft Access program .mdt Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and later) .mdw Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and later) .mde Microsoft Access MDE database .mdz Microsoft Access wizard program .msc Microsoft Common Console document .msi Windows Installer package .msp Windows Installer patch .mst Visual Test source files .ops Office XP settings (blocked only in Outlook 2002 SP-1 and later) .pcd Photo CD image .pif Shortcut to MS-DOS program .prf Microsoft Outlook profile settings (blocked only in Outlook 2002) .reg Registration entries .scf Windows Explorer command (blocked only in Outlook 2002) .scr Screen saver .sct Windows Script Component .shb Shell Scrap Object .shs Shell Scrap Object .url Internet shortcut .vb VBScript file .vbe VBScript encoded script file .vbs Visual Basic Script file .wsc Windows Script Component .wsf Windows Script file .wsh Windows Script Host Settings file -----Original Message----- From: owner-crime@/var/spool/majordomo/lists/crime [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Steve Nichols Sent: Wednesday, May 22, 2002 3:38 AM To: Owner-Crime Subject: CRIME Virus list Anyone know of a list of all virus subject line? I'm trying to write a sendmail Check_Subject rule to filter the incomming email's. I can do something like this (it's rough but you should get the idea) F{Virus} /var/log/virus HSubject: $>Check_Subject D{MPat} R<$={Virus}> D{MMsg}This message may contain a Virus. It has been rejected by our Server. SCheck_Subject R${MPat} $* $#error $: 550 ${MMsg} RRe: ${MPat} $* $#error $: 550 ${MMsg} But I need a list of all subjects associated with viri. Steven Nichols Network and Systems Administrator Internet and NOC Manager VALLEY INTERNET COMPANY 1709 NE 27th Street, Suite C McMinnville, Oregon 97128 503-565-5030 or 800-909-9078 (toll-free) "Pay no attention to the folks behind the curtain..." PGP: www.viclink.com/~steven/steven.nichols.pgp.txt
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:27 PDT