Security Incidents mailing list archives
Re: Novarg - Stopping .Zip Files
From: "Tom Milliner" <tom.milliner () verizon net>
Date: Wed, 28 Jan 2004 22:14:15 -0600
We don't have an email gateway. With only 30 employees, it seemed to make sense to have our ISP provide POP3 email service. The ISP provides spam and virus filtering. For example, if the ISP provides the service for $60 a month (possibly bundled with web hosting and/or a T1 connection), the cost is $720 a year with little admin time involved. That compares favorably to the cost of hardware/software and administering an email server. We are looking at IDS/IPS solutions anyway, and I am hoping there are possibilities which could be affordable and easily administered (we already run Windows 2003 in a single active directory domain with SQL and IIS; there are four single person remote offices, and a PC classroom with 21 PC's). I would like an IDS/IPS solution which can be either remotely managed/updated or easily administered by me...for instance, the Microsoft solution, ISA Server, can do a lot, but I would need more time than I have available right now to master its possibilities. Sentinel and Netscreen are the two IDS/IPS solutions which I know about now. I don't know if they could have been set to drop POP3 .zip file attachments for the 24 hours between the beginning of MyDoom and McAfee's virus updates. Tom Milliner, CPA, MCSE, CNE 2404 Summer Place Dr. Irving, TX 75062 (972) 255-6308 tom.milliner () verizon net ----- Original Message ----- From: "Ivan Coric" <ivan.coric () workcoverqld com au> To: <milliner () gdar org>; <incidents () securityfocus com>; <beleguese () yahoo com> Sent: Wednesday, January 28, 2004 5:24 PM Subject: RE: Novarg - Stopping .Zip Files Tom, Do you have a email gateway? Is so why don't you block .zip, .pif, .scr, etc there? Kind Regards Ivan Ivan Coric, CISSP IT Technical Security Officer Information Technology WorkCover Queensland Ph: (07) 30066414 Fax: (07) 30066424 Email: ivan.coric () workcoverqld com au
"Tom Milliner" <milliner () gdar org> 01/29/04 02:53am >>>
Could someone tell me if there is an IPS solution which could be quickly programmed to stop .zip files? I wish we could have stopped .zip files long enough for our anti-virus program to get its updates. Tom Milliner, CPA, MCSE Director of Information Services Greater Dallas Assc of Realtors 8201 N. Stemmons Frwy Dallas, TX 75247 www.gdar.org mail to: milliner () gdar org (214) 540-2741 -----Original Message----- From: sloppy seconds [mailto:beleguese () yahoo com] Sent: Tuesday, January 27, 2004 10:32 PM To: incidents () securityfocus com Subject: Novarg To all, Yes as many of you have noticed Novarg is spreading fast. I work for a large international corporation and we have seen extensive infiltration. However, this worm has not proved to be as "damaging" as some may claim. The scary part is that our investment in AV solutions (Trend, Symantec, et al...) has not protected us. We are now reconsidering our stance on allowing .ZIP files in Email. We engineered our own cleaning utility hours before our AV vendors even had signatures. Infecting lab clients and using diff tools...etc
From a network perspective we are watching for the
supposed DOS against SCO. We have had the outbreak under control just a few hours after it's inception. Anyone care to contribute their experience? Thanks, Beleguese __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- *************************************************************************** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Novarg - Stopping .Zip Files Ivan Coric (Jan 29)
- <Possible follow-ups>
- Re: Novarg - Stopping .Zip Files Tom Milliner (Jan 29)
- RE: Novarg - Stopping .Zip Files Bruce Martins (Jan 30)
- Good Advice Re: Anti-Virus Companies had a Virus Update Almost Immediately for MyDoom Tom Milliner (Jan 30)