Re: Novarg - Stopping .Zip Files

["Ivan Coric" <ivan.coric () workcoverqld com au>]

Tom,
Far enough, but IMHO I would run my own email GW.

Anyway, check out Symantic and Toplayer products, they might do what your looking for.
http://www.toplayer.com
http://enterprisesecurity.symantec.com/content/productlink.cfm

Cheers
Ivan


Ivan Coric, CISSP
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au

> > > "Tom Milliner" <tom.milliner () verizon net> 01/29/04 02:14pm >>>
We don't have an email gateway.  With only 30 employees,  it seemed to
make sense to have our ISP provide POP3 email service.  The ISP provides
spam and virus filtering.  For example,  if the ISP provides the service for
$60 a month (possibly bundled with web hosting and/or a T1 connection),
the cost is $720 a year with little admin time involved.  That compares
favorably to the cost of hardware/software and administering an email server.

We are looking at IDS/IPS solutions anyway, and I am hoping there are
possibilities which could be affordable and easily administered (we already
run Windows 2003 in a single active directory domain with SQL and IIS;
there are four single person remote offices, and a PC classroom with 21
PC's).  I would like an IDS/IPS solution which can be either remotely
managed/updated or easily administered by me...for instance,  the Microsoft
solution, ISA Server,  can do a lot,  but I would need more time than I have
available right now to master its possibilities.

Sentinel and Netscreen are the two IDS/IPS solutions which I know about
now.  I don't know if they could have been set to drop POP3 .zip file
attachments for the 24 hours between the beginning of MyDoom and
McAfee's virus updates.

Tom Milliner, CPA, MCSE, CNE
2404 Summer Place Dr.
Irving, TX  75062
(972) 255-6308
tom.milliner () verizon net 



----- Original Message ----- 
From: "Ivan Coric" <ivan.coric () workcoverqld com au>
To: <milliner () gdar org>; <incidents () securityfocus com>; <beleguese () yahoo com>
Sent: Wednesday, January 28, 2004 5:24 PM
Subject: RE: Novarg - Stopping .Zip Files


Tom,
Do you have a email gateway? Is so why don't you block .zip, .pif, .scr, etc
there?

Kind Regards
Ivan


Ivan Coric, CISSP
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au 

> > > "Tom Milliner" <milliner () gdar org> 01/29/04 02:53am >>>

Could someone tell me if there is an IPS solution
which could be quickly programmed to stop .zip
files?  I wish we could have stopped .zip files long
enough for our anti-virus program to get its updates.

Tom Milliner, CPA, MCSE
Director of Information Services
Greater Dallas Assc of Realtors
8201 N. Stemmons Frwy
Dallas,  TX  75247
www.gdar.org 
mail to: milliner () gdar org 
(214) 540-2741


-----Original Message-----
From: sloppy seconds [mailto:beleguese () yahoo com] 
Sent: Tuesday, January 27, 2004 10:32 PM
To: incidents () securityfocus com 
Subject: Novarg

To all,

Yes as many of you have noticed Novarg is spreading
fast. I work for a large international corporation and
we have seen extensive infiltration. However, this
worm has not proved to be as "damaging" as some may
claim. The scary part is that our investment in AV
solutions (Trend, Symantec, et al...) has not
protected us. We are now reconsidering our stance on
allowing .ZIP files in Email.

We engineered our own cleaning utility hours before
our AV vendors even had signatures. Infecting lab
clients and using diff tools...etc

> From a network perspective we are watching for the
supposed DOS against SCO.

We have had the outbreak under control just a few
hours after it's inception.

Anyone care to contribute their experience?

Thanks,
Beleguese


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/ 

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------







***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The
contents of this message are to be used for the intended purpose only and are to
be kept confidential at all times.
This message may contain privileged information directed only to the intended
addressee/s. Accidental receipt of this information should be deleted promptly
and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************







***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used 
for the intended purpose only and are to be kept confidential at all times.
This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this 
information should be deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------