I guess I should have clarified. SoBig.E is in a executable file that is within a zipped file, your_details.zip. The virus was sending itself out this way. Therefore, it was not caught by banned extension until the virus definitions were updated.
The reason it came up was that one of my clients happened to get one of the first ones right after the virus came out. In the past, we have relied on banned extension as a extra measure against this. But now that we have to worry about zipped files, it adds a adds a extra level of worry. As Joshua said, as soon as we receive a notice, when can use that information to create a filter. However, I am personally not up at 4 AM, and there fore would not be able to take such action until I get up, read the messages, and then take action. Bill, do you know if the AI/Heuristics testing in F-Prot would have caught this? Any reason not to have AI/Heuristics testing turned on? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Monday, July 21, 2003 7:21 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] SoBig.E > > Ah yes, thanks for the clarification, I misread John's e-mail. Hmmm, that > is an interesting issue. Might possibly help to enable AI/Heuristics in the > virus config's command line options. I did this a while back with F-Prot > (-AI) and McAfee (/ANALYZE), so hopefully that will add a little bit of > added capabilities for capturing these new viruses and variants before the > new definitions are released. > > Otherwise, like you stated, it may require holding messages containing zip > files so they can be reviewed before being sent back to the queue for > delivery. > > Bill > ----- Original Message ----- > From: "Joshua Levitsky" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, July 21, 2003 6:57 PM > Subject: Re: [Declude.Virus] SoBig.E > > > > > > ----- Original Message ----- > > From: "Bill Landry" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, July 21, 2003 9:27 PM > > Subject: Re: [Declude.Virus] SoBig.E > > > > > > > Virus scanners will scan inside of compressed and archived files (if > > > configured to do so), so I don't see how this should be an issue. The > > > default configurations that Scott has set for the different Declude > Virus > > > supported virus scanners are setup to scan inside of these types of > files. > > > > > > Did you find a virus (SoBig.E) that was inside a zip file that made it > > past > > > Declude Virus? > > > > I think the point was that there is a window between a virus existing and > > definitions being available. In the past we could rest easy knowing > viruses > > couldn't zip themselves so if you ban all the exe's and such then you > would > > protect your users even during that window. Unfortunately now that viruses > > can zip themselves there is a window of potential for exposure. I get > pages > > from Symantec when nasties come out because I have platinum support. When > I > > hear of a virus that will mail itself as a zip, but there are no defs yet > > then the action I am going to take is to put all the subject lines and > such > > that it does in a filter so it will be banned by Declude JunkMail with > high > > enough value that it won't bounce, but will be held. Usually www.sarc.com > > (symantec) is good about documenting them. > > > > -Josh > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
