Re: Novarg - Stopping .Zip Files

[Alvin Mills <alvin.mills () ttuhsc edu>]

An IPS would help with the bottleneck at your mail server. I would 
rather block it with IPS than having the backlog of mail being routed 
because my mail server is up to its neck fighting the virus.

Just my 2 cents.

Alvin

Bill Pennington wrote:
> IPS? I would recommend handling this at the mail server. No need for a  
> IPS system.
>
> I know Postfix/Sendmail/procmail all allow you to do this. I would  
> assume Exchange server (or and add-on product like Tumbleweed) has the  
> ability to drop e-mails based on attachment type.
>
>
> On Jan 28, 2004, at 8:53 AM, Tom Milliner wrote:
>
> > Could someone tell me if there is an IPS solution
> > which could be quickly programmed to stop .zip
> > files?  I wish we could have stopped .zip files long
> > enough for our anti-virus program to get its updates.
> >
> > Tom Milliner, CPA, MCSE
> > Director of Information Services
> > Greater Dallas Assc of Realtors
> > 8201 N. Stemmons Frwy
> > Dallas,  TX  75247
> > www.gdar.org
> > mail to: milliner () gdar org
> > (214) 540-2741
> >
> >
> > -----Original Message-----
> > From: sloppy seconds [mailto:beleguese () yahoo com]
> > Sent: Tuesday, January 27, 2004 10:32 PM
> > To: incidents () securityfocus com
> > Subject: Novarg
> >
> > To all,
> >
> > Yes as many of you have noticed Novarg is spreading
> > fast. I work for a large international corporation and
> > we have seen extensive infiltration. However, this
> > worm has not proved to be as "damaging" as some may
> > claim. The scary part is that our investment in AV
> > solutions (Trend, Symantec, et al...) has not
> > protected us. We are now reconsidering our stance on
> > allowing .ZIP files in Email.
> >
> > We engineered our own cleaning utility hours before
> > our AV vendors even had signatures. Infecting lab
> > clients and using diff tools...etc
> >
> > > From a network perspective we are watching for the
> >
> > supposed DOS against SCO.
> >
> > We have had the outbreak under control just a few
> > hours after it's inception.
> >
> > Anyone care to contribute their experience?
> >
> > Thanks,
> > Beleguese
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free web site building tool. Try it!
> > http://webhosting.yahoo.com/ps/sb/
> >
> > ----------------------------------------------------------------------- -
> > ---
> > ----------------------------------------------------------------------- -
> > ----
> >
> >
> >
> > ----------------------------------------------------------------------- 
> > ----
> > ----------------------------------------------------------------------- 
> > -----
>
> ---
> Bill Pennington, CISSP, CCNA
> Chief Technology Officer
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------- 

--
****************************
Alvin Mills
Information Security Manager
Texas Tech University
Health Sciences Center
806.743.2870 x242
alvin.mills () ttuhsc edu
****************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------