Re: NETSKY.C out..Heads up!

Chris H Thu, 26 Feb 2004 22:17:53 -0800

That was the point of my "mileage varies" email . . . my experience has been the *exact* opposite . . . We were running Trend Officescan and *it* was a nightmare . . . ps the first infeciton due to bad AV should eleviate any management/budgetary issues. Let them know in no uncertain terms the infrastructure is at risk until I change is made.

----- Original Message ----- From: "Egan, William" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Wednesday, February 25, 2004 6:52 PM Subject: RE: NETSKY.C out..Heads up!

The point was that NAV's defs might be out of date when NAV is protecting
the desktop and Trend is protecting the mail servers and mail gateway, in
which case your realtime scan is useless.

For the record, NAV/SAV sucks. What kind of product will fail to start its services if its definitions are corrupt - which happens too frequently with NAV. The thing should detect corrupt defs, then go get GOOD definitions and retry the service start. Also, NAV has a way of showing itself as offline on a client (using the Symmantec System Center Console), yet the service is running on that client. Oh, and another good one; client service is not running so you do something like sc.exe \\whatever start "Norton Antivirus Server" and it crashes the service control manager on the client. Oh, and reporting out of the system center console is non-existant. NAV=nightmare antivirus. Yet we can't switch for budgetary reasons. It almost requires a fulltime staffer to keep all clients up to date and online.

Fun.

So what's the opinion (yes I know its off-topic) on the best DESKTOP a/v
solution?  How do Panda, Kaspersky, Trend OfficeScan and CA stand up?

b

-----Original Message-----
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 6:36 PM
To: Exchange Discussions
Subject: RE: NETSKY.C out..Heads up!

Easy...you have your NAV/SAV scan all files as soon as they are created,
modified or used...we do.

If it attempts to come in from a webmail account, it will quarantine the
dropper file, as soon as it hits the Temporary Internet Files directory.

If you're having a problem with NAV not catching files, I'd warrant it's a
configuration issue, not a product issue.

-----Original Message-----
From: Eric Holtzclaw [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 1:54 PM
To: Exchange Discussions
Subject: RE: NETSKY.C out..Heads up!


How does this help if they use a hotmail account to get there mail with
Norton on the desktop?

Remember not all users have a brain that is why we have jobs.


-----Original Message-----
From: Chris H [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 1:46 PM
To: Exchange Discussions
Subject: Re: NETSKY.C out..Heads up!

I dont know about you but I block all .scr, .exe, .pif, etc. and syamantec
strips them out of any zip file regardless of the signature. If it cannot
strip them out or scan inside the zip then it strips the zip file. Problem
solved.

----- Original Message ----- From: "Waters, Jeff" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Wednesday, February 25, 2004 3:35 PM Subject: RE: NETSKY.C out..Heads up!

You are right about that, however Symantec blew the .F big-time. We

run

Trend on our Exchange Server, and Trend on our servers and desktops.

I
have

been blocking .zip's since the 20th when the .F came out. Trend had

their

def's updated within 2 hours. Symantec did not have a definition out

until

sometime after 8pm(est) on the 23rd. How do I know this you ask, well

our

scheduled live updates run at 8pm and we didn't get the update.
Unfortunately for us, one of our users accessed his personnel web-mail

about

9am yesterday and got the .F on our computer. There really was not

good

reason for an update to take that long, not to mention that before

this
set

of updates (24th) their last update was the 18th.
I like Symantec, and I like having different vendors on Exchange and

the

Desktop, but this time Symantec took it in the a** and we are paying

the

price. The good news is it only took out one system, the bad news is

that
I

am going to be restoring data late tonight to fix what got deleted.

That

one system had over a hundred .zip files on it, and deposited well

over
300

out onto the file servers he was mapped to. Our saving grace is that

no
one

else opened up one of those .zip files on the server.

We are currently blocking about 50-75 .zip's an hour right now!!! I

wish

they would get one of these idiots that write these and cane them in

the

middle of time square on national TV.


-----Original Message-----
From: Chris H [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 2:42 PM
To: Exchange Discussions
Subject: Re: NETSKY.C out..Heads up!

I have found you can ask 10 people and get 10 different answers. Do
you like Dell or Compaq? Ask 10 people and see what they say.

Mileage

varies.
I have had *zero* problems with Symantec and I came over from Trend

who
IMO

has lousy tech support.
I have not had a single client or server infected since moving and my
updates are almost instantaneous once the Primary server is updated. I

am

very happy with them!

----- Original Message -----
From: "Eric Holtzclaw" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, February 25, 2004 2:32 PM
Subject: RE: NETSKY.C out..Heads up!


I ran a manual update and it updated to the newest file patterns and
went to there site with no answer to that variant. I knew the PC was
infected with random zip file start appearing from what Trend

described.

Sorry, if you like Symantec buy U got burned!!

Eric


-----Original Message-----
From: Chinnery, Paul [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 10:42 AM
To: Exchange Discussions
Subject: RE: NETSKY.C out..Heads up!

Didn't the client force an update or can't you do that with Symantec?

Paul Chinnery
Network Administrator
Mem Med Ctr


-----Original Message-----
From: Eric Holtzclaw [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 1:37 PM
To: Exchange Discussions
Subject: RE: NETSKY.C out..Heads up!


Symantec sucks, one of my clients had many infected PC's with doom.f
because there not update for 3 1/2 days and Trend and MacAfee did.

Not to mention the "I love you virus" was updated again by trend not
Symantec

Eric

-----Original Message-----
From: Chris H [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 10:23 AM
To: Exchange Discussions
Subject: Re: NETSKY.C out..Heads up!

That's what I like about Symantec's gateway . . . gets inside the zip

.

. .
of course it is a pain when you *need* to send an EXE but oh well . .

.


----- Original Message -----
From: "Pfefferkorn, Pete (pfeffepe)" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Wednesday, February 25, 2004 1:18 PM
Subject: RE: NETSKY.C out..Heads up!

> Wasn't blocking ZIP attachments. Trend now has a pattern available

as

well.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
Chris H
> Sent: Wednesday, February 25, 2004 1:12 PM
> To: Exchange Discussions
> Subject: Re: NETSKY.C out..Heads up!
>
> It is using the attachments types we all usually block anyway no?
>
> ----- Original Message -----
> From: "Pfefferkorn, Pete (pfeffepe)" <[EMAIL PROTECTED]>
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Sent: Wednesday, February 25, 2004 12:21 PM
> Subject: NETSKY.C out..Heads up!
>
>
> > I just started receiving messages that are being blocked based on
> attachment
> > type.  I believe it NETSKY.C which we don't have a pattern file

for

it
on
> > TREND yet so watch out!
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
>

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;

lang
> =english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at: Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been contacted

with.

> >
>
>
> _________________________________________________________________
> List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
>

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;

lang
> =english
> To unsubscribe:         mailto:[EMAIL PROTECTED]
> Exchange List admin:    [EMAIL PROTECTED]
> To unsubscribe via postal mail, please contact us at: Jupitermedia
> Corp.
> Attn: Discussion List Management
> 475 Park Avenue South
> New York, NY 10016
>
> Please include the email address which you have been contacted with.
>
> _________________________________________________________________
> List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;

lang=english
> To unsubscribe:         mailto:[EMAIL PROTECTED]
> Exchange List admin:    [EMAIL PROTECTED]
> To unsubscribe via postal mail, please contact us at: Jupitermedia
> Corp.
> Attn: Discussion List Management
> 475 Park Avenue South
> New York, NY 10016
>
> Please include the email address which you have been contacted with.
>


_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Web Interface:

http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&;

lang=english
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at: Jupitermedia
Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016