I too run standard, and it's true that I think banned extensions within zips would be a very nice feature. But since it's like this, I live with it.
What you should do is keep checking these lists for things such as this new virus. When you see someone say they found a suspicious file, ask them what the filename is and ban the file. If it looks like multiple filenames with a zip ending, then ban all zip files. This is what I'm currently doing. Until I know for certain that the defs have been updated for F-Prot, then I'll turn off the zip banning (F-Prot just downloaded/installed an update). If clients complain, explain that it's just your security protocols. Ask them if they'd rather have an hour of heartache compared to possible days of heartache or no computer at all (then tell them to switch to Linux; hahaha). They tend to like the earlier than the later. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Olden Sent: Monday, August 09, 2004 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/illWill Want to know what "less useful" really means, try being like us with only Declude AV Standard. We can't ban certain extensions in zip files. Plus we can only use one scanner with Standard so we constantly get bit having to wait until the AV companies update their signatures. John Olden - Systems Administrator Champaign Park District ----- Original Message ----- From: "Robert Grosshandler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 09, 2004 1:02 PM Subject: RE: [Declude.Virus] JS/illWill > Problem is, I want to get "good" zipped exe's. > > Oh well. Until the AV programs start catching it, I've made our e-mail less > useful by blocking any zips with exe's in them. > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Monday, August 09, 2004 12:50 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] JS/illWill > > > > Declude is indeed stopping it if configured correctly. That is how I am > stopping them. > > > > BANZIPEXTS > > > > BANEXT EXE > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler > Sent: Monday, August 09, 2004 10:31 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] JS/illWill > > > > We're seeing it too. > > > > McAfee on desktop catching as a "trojan". AVG and F-Prot not catching it > yet. > > Declude not stopping, either. > > > > newprice.zip is the attachment name. > > > > > > > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > Sent: Monday, August 09, 2004 11:23 AM > To: [EMAIL PROTECTED] > Subject: [Declude.Virus] JS/illWill > > I've seen several JS/IllWill messages in the past 20 minutes on our system > > > > Looking at http://vil.nai.com/vil/content/v_99242.htm it's an old virus > (2001) and I can't remember another one in the past. > > But now I can see them comming from all different IP-Adresses. > > > > Mailfrom looks like real existing adresses but are definitively forged. > > > > Markus > > > > > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
