Re: Novarg

[James Riden <j.riden () massey ac nz>]

sloppy seconds <beleguese () yahoo com> writes:

> To all, 
>
> Yes as many of you have noticed Novarg is spreading
> fast. I work for a large international corporation and
> we have seen extensive infiltration. However, this
> worm has not proved to be as "damaging" as some may
> claim. The scary part is that our investment in AV
> solutions (Trend, Symantec, et al...) has not
> protected us. We are now reconsidering our stance on
> allowing .ZIP files in Email. 

As you have found out there's a window between a new virus coming out
and the AV signatures getting updated. (Even that didn't fix it with
Blaster I think, but should cover email-borne viruses).

Internal spread of Novarg is non-existent here, because no-one runs
internal mailservers except us, and we make sure to block viruses and
delay questionable attachments. 

Six hours is a long time to be vulnerable if someone really wants to
write a really nasty worm - Blaster could have been a whole lot worse
if properly coded. And if you let .zip files straight through then you
could be in that position before you get the AV updates on the
mailserver.

I prefer to treat the desktop AV as a safety net; that is, it
shouldn't get to that stage.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


---------------------------------------------------------------------------
----------------------------------------------------------------------------