Re: NETSKY.C out..Heads up!

Chris H Thu, 26 Feb 2004 22:17:46 -0800

I dont block .zips and at least the Symantec Gateway SMTP product will strip the exe, etc out of the zip and leave the rest of the files in there.

----- Original Message ----- From: "Randal, Phil" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Thursday, February 26, 2004 9:55 AM Subject: RE: NETSKY.C out..Heads up!

The problem is that .zip files have legitimate uses.

I'm looking to quarantining executables (and probably .zip files) for at
least 24 hours before releasing them and rescanning with updated virus
patterns.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Behalf Of Martin
Blackstone
Sent: 26 February 2004 14:53
To: Exchange Discussions
Subject: RE: NETSKY.C out..Heads up!


What I would like to see AV vendors do is rather than use
blocked file list
in mail AV apps, use an allowed file types. In other words,
everything is
blocked by default and you choose what to let in.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Randal,
Phil
Sent: Thursday, February 26, 2004 6:34 AM
To: Exchange Discussions
Subject: RE: NETSKY.C out..Heads up!

Welcome to the new world of viruses.

Anti-virus vendors used to working on a weekly cycle need to
wake up and
move to a daily-plus cycle, and here's why.

In the last two weeks, we've been blocking viruses at our
email gateway
before patterns have been available.  Virus writers don't
submit their wares
to the antivirus companies and then wait a week (or even a day) before
releasing them in the wild.

With a high-speed internet backbone and more and more
unprotected users on
high-speed DSL lines, viruses can now spread at an
unprecedented rate.  If
your servers aren't protected within minutes (or a few hours
at most) of
release or first detection in the wild your antivirus
software is no longer
a protection but merely a clean-up tool.

After MyDoom, things aren't the same.  Nor will it ever
return to the old
"new virus once in a while but always trapped by our
antivirus software
before damage is done" scenario of the distant past.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Waters, Jeff
> Sent: 26 February 2004 14:09
> To: Exchange Discussions
> Subject: RE: NETSKY.C out..Heads up!
>
>
> I'd have to revoke your warrant this time, NAV is configured just
> fine, and when the definitions are up-to-date it will do it's job
> quite well.
> I'm not bashing NAV, until now I have had very few problems
with NAV
> Corp, and since we came from McCrappy it has been a delight.  The
> problem this time is that it took them 3 DAYS to issue the
definition
> update for MyDoom.F and that's just insane with most of the other
> vendors had it done in hours.
> Is this going to make me run out and replace our Desktop
A/V software,
> no.
> Have I submitted an issue with Symantec, your darn tooting.
> This isn't just
> a problem with how long it took them to get the def's out to the
> world, it's also an issue with their limited live update
scheduler.
> If I could have set up the schedule to look every hour
(like most of
> us do with Trend on our Exchange servers) then our one system would
> not have been able to get this virus.  I have also let them
know how I
> feel about that issue as well.
>
>
>
> -----Original Message-----
> From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 25, 2004 6:36 PM
> To: Exchange Discussions
> Subject: RE: NETSKY.C out..Heads up!
>
> Easy...you have your NAV/SAV scan all files as soon as they are
> created, modified or used...we do.
>
> If it attempts to come in from a webmail account, it will
quarantine
> the dropper file, as soon as it hits the Temporary Internet Files
> directory.
>
> If you're having a problem with NAV not catching files, I'd warrant
> it's a configuration issue, not a product issue.
>
> -----Original Message-----
> From: Eric Holtzclaw [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 25, 2004 1:54 PM
> To: Exchange Discussions
> Subject: RE: NETSKY.C out..Heads up!
>
>
> How does this help if they use a hotmail account to get there mail
> with Norton on the desktop?
>
> Remember not all users have a brain that is why we have jobs.
>
>
> -----Original Message-----
> From: Chris H [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 25, 2004 1:46 PM
> To: Exchange Discussions
> Subject: Re: NETSKY.C out..Heads up!
>
> I dont know about you but I block all .scr, .exe, .pif, etc.
> and syamantec
> strips them out of any zip file regardless of the signature.
> If it cannot
> strip them out or scan inside the zip then it strips the zip file.
> Problem solved.
>
> ----- Original Message -----
> From: "Waters, Jeff" <[EMAIL PROTECTED]>
> To: "Exchange Discussions" <[EMAIL PROTECTED]>
> Sent: Wednesday, February 25, 2004 3:35 PM
> Subject: RE: NETSKY.C out..Heads up!
>
>
> > You are right about that, however Symantec blew the .F
big-time.  We
> run
> > Trend on our Exchange Server, and Trend on our servers
and desktops.
> I
> have
> > been blocking .zip's since the 20th when the .F came out.
 Trend had
> their
> > def's updated within 2 hours.  Symantec did not have a
> definition out
> until
> > sometime after 8pm(est) on the 23rd.  How do I know this
> you ask, well
> our
> > scheduled live updates run at 8pm and we didn't get the update.
> > Unfortunately for us, one of our users accessed his
> personnel web-mail
> about
> > 9am yesterday and got the .F on our computer.  There
really was not
> good
> > reason for an update to take that long, not to mention that before
> this
> set
> > of updates (24th) their last update was the 18th.
> > I like Symantec, and I like having different vendors on
Exchange and
> the
> > Desktop, but this time Symantec took it in the a** and we
are paying
> the
> > price.  The good news is it only took out one system, the
> bad news is
> that
> I
> > am going to be restoring data late tonight to fix what
got deleted.
> That
> > one system had over a hundred .zip files on it, and deposited well
> over
> 300
> > out onto the file servers he was mapped to.  Our saving
> grace is that
> no
> one
> > else opened up one of those .zip files on the server.
> >
> > We are currently blocking about 50-75 .zip's an hour
right now!!!  I
> wish
> > they would get one of these idiots that write these and
cane them in
> the
> > middle of time square on national TV.
> >
> >
> > -----Original Message-----
> > From: Chris H [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 25, 2004 2:42 PM
> > To: Exchange Discussions
> > Subject: Re: NETSKY.C out..Heads up!
> >
> > I have found you can ask 10 people and get 10 different
answers. Do
> > you like Dell or Compaq? Ask 10 people and see what they say.
> Mileage
> > varies.
> > I have had *zero* problems with Symantec and I came over
from Trend
> who
> IMO
> > has lousy tech support.
> > I have not had a single client or server infected since
> moving and my
> > updates are almost instantaneous once the Primary server is
> updated. I
> am
> > very happy with them!
> >
> > ----- Original Message -----
> > From: "Eric Holtzclaw" <[EMAIL PROTECTED]>
> > To: "Exchange Discussions" <[EMAIL PROTECTED]>
> > Sent: Wednesday, February 25, 2004 2:32 PM
> > Subject: RE: NETSKY.C out..Heads up!
> >
> >
> > I ran a manual update and it updated to the newest file
> patterns and
> > went to there site with no answer to that variant. I knew
> the PC was
> > infected with random zip file start appearing from what Trend
> described.
> >
> > Sorry, if you like Symantec buy U got burned!!
> >
> > Eric
> >
> >
> > -----Original Message-----
> > From: Chinnery, Paul [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 25, 2004 10:42 AM
> > To: Exchange Discussions
> > Subject: RE: NETSKY.C out..Heads up!
> >
> > Didn't the client force an update or can't you do that with
> Symantec?
> >
> > Paul Chinnery
> > Network Administrator
> > Mem Med Ctr
> >
> >
> > -----Original Message-----
> > From: Eric Holtzclaw [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 25, 2004 1:37 PM
> > To: Exchange Discussions
> > Subject: RE: NETSKY.C out..Heads up!
> >
> >
> > Symantec sucks, one of my clients had many infected PC's
> with doom.f
> > because there not update for 3 1/2 days and Trend and MacAfee did.
> >
> > Not to mention the "I love you virus" was updated again by
> trend not
> > Symantec
> >
> > Eric
> >
> > -----Original Message-----
> > From: Chris H [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 25, 2004 10:23 AM
> > To: Exchange Discussions
> > Subject: Re: NETSKY.C out..Heads up!
> >
> > That's what I  like about Symantec's gateway . . . gets
> inside the zip
> .
> > . .
> > of course it is a pain when you *need* to send an EXE but
> oh well . .
> .
> >
> > ----- Original Message -----
> > From: "Pfefferkorn, Pete (pfeffepe)" <[EMAIL PROTECTED]>
> > To: "Exchange Discussions" <[EMAIL PROTECTED]>
> > Sent: Wednesday, February 25, 2004 1:18 PM
> > Subject: RE: NETSKY.C out..Heads up!
> >
> >
> > > Wasn't blocking ZIP attachments.  Trend now has a pattern
> available
> as
> > well.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
On Behalf Of
> > Chris H
> > > Sent: Wednesday, February 25, 2004 1:12 PM
> > > To: Exchange Discussions
> > > Subject: Re: NETSKY.C out..Heads up!
> > >
> > > It is using the attachments types we all usually block
anyway no?
> > >
> > > ----- Original Message -----
> > > From: "Pfefferkorn, Pete (pfeffepe)" <[EMAIL PROTECTED]>
> > > To: "Exchange Discussions" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, February 25, 2004 12:21 PM
> > > Subject: NETSKY.C out..Heads up!
> > >
> > >
> > > > I just started receiving messages that are being
> blocked based on
> > > attachment
> > > > type.  I believe it NETSKY.C which we don't have a
pattern file
> for
> > it
> > on
> > > > TREND yet so watch out!
> > > >
> > > >
> _________________________________________________________________
> > > > List posting FAQ:
> http://www.swinc.com/resource/exch_faq.htm
> > > > Web Interface:
> > >
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> > lang
> > > =english
> > > > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > > > Exchange List admin:    [EMAIL PROTECTED]
> > > > To unsubscribe via postal mail, please contact us at:
> Jupitermedia
> > > > Corp.
> > > > Attn: Discussion List Management
> > > > 475 Park Avenue South
> > > > New York, NY 10016
> > > >
> > > > Please include the email address which you have been contacted
> with.
> > > >
> > >
> > >
> > >
_________________________________________________________________
> > > List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
> > > Web Interface:
> > >
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> > lang
> > > =english
> > > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > > Exchange List admin:    [EMAIL PROTECTED]
> > > To unsubscribe via postal mail, please contact us at:
> Jupitermedia
> > > Corp.
> > > Attn: Discussion List Management
> > > 475 Park Avenue South
> > > New York, NY 10016
> > >
> > > Please include the email address which you have been
> contacted with.
> > >
> > >
_________________________________________________________________
> > > List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
> > > Web Interface:
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> > lang=english
> > > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > > Exchange List admin:    [EMAIL PROTECTED]
> > > To unsubscribe via postal mail, please contact us at:
> Jupitermedia
> > > Corp.
> > > Attn: Discussion List Management
> > > 475 Park Avenue South
> > > New York, NY 10016
> > >
> > > Please include the email address which you have been
> contacted with.
> > >
> >
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> > lang=english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been
contacted with.
> >
> >
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> > lang=english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been
contacted with.
> >
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> > lang=english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been
contacted with.
> >
> >
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> lang
> > =english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been
contacted with.
> >
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
> >
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> lang
> > =english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been
contacted with.
> >
> > _________________________________________________________________
> > List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> > Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
> ext_mode=&
> lang=english
> > To unsubscribe:         mailto:[EMAIL PROTECTED]
> > Exchange List admin:    [EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
Jupitermedia
> > Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> >
> > Please include the email address which you have been
contacted with.
> >
>
>
> _________________________________________________________________
> List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
> Web Interface:
> http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t
ext_mode=&
lang=english
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016