Dont really have anything to add to this one :) I just love trolling Adams emails.
Pretty much agree with all that is said here. The only exception would be (like it or not) it is a good idea to have AV at the store level. Leave it disabled as previously mentioned, but it is a nice insurance policy to be able to do cleanup once updated definitions are released. From: [email protected] [mailto:[email protected]] On Behalf Of Adam Farage Sent: Tuesday, April 22, 2014 8:15 PM To: [email protected] Subject: RE: [Exchange] RE: Antivirus placement - Exchange 2010 Thats insane, that you cannot block any attachments. >From the standpoint of anti-virus / anti-malware and anti-spam protection I take a pretty simple approach: - Block any attachment that is not a common Office type file, and block this at the smarthost / SMTP gateway (I usually see Exchange Online Protection, EOP or IronPort). So we let through .doc, .docx, .pdf, .xls, .xlsx, .ppt, and .pptx. We *do* typically block .rar/.zip unless the client throws a shitstorm complaining about it. - Antivirus placement is a big discussion usually.. and in my opinion place it on the HUB/EDGE portion. If you are doing AV scanning on the transport pipeline, the likelihood you will receive a virus at the store level is little to none. - File level AV all around, just make sure your exclusions are correct.. and man are there a lot of them ;) Doing AV scanning using VSAPI (on the mailbox layer) in my opinion has caused multiple issues such as performance, and data corruption. Stuff I rather stay away from. _____ Date: Tue, 22 Apr 2014 20:01:51 -0400 Subject: Re: [Exchange] RE: Antivirus placement - Exchange 2010 From: [email protected] <mailto:[email protected]> To: [email protected] <mailto:[email protected]> You can't block *ANY* attachments? That can't be right. On Tue, Apr 22, 2014 at 7:25 PM, Kurt Buff <[email protected] <mailto:[email protected]> > wrote: Your results are more the outcome of your settings to block certain attachments than to the Barracuda's prowess in AV detection. I am not allowed to block attachments, we have a 410, and I regularly see infectious emails come through. Whenever I get an unexpected email with an attachment, I submit the attachment to http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx and to https://malwr.com/ and regularly see results that make me shudder... Those submissions are in parallel to my submission to virustotal, and invariably the attachment has already been scanned, and nobody has a signature for it. Mostly, I get these from China (or at least the emails use Chinese character sets.) Kurt On Tue, Apr 22, 2014 at 4:13 PM, Kennedy, Jim <[email protected] <mailto:[email protected]> > wrote: > > "Email AV gateway appliance (vm or physical) (Trend, Barracuda, etc.)" > > Specifically a Cuda. Only one email virus in a decade of using them. I block > exe's, password protected zips and the usual suspect file types with it, > that certainly helps. > > > ________________________________ > From: [email protected] <mailto:[email protected]> [[email protected] <mailto:[email protected]> ] on > behalf of Stringham, Steven [[email protected] <mailto:[email protected]> ] > Sent: Tuesday, April 22, 2014 5:53 PM > To: [email protected] <mailto:[email protected]> > Subject: [Exchange] Antivirus placement - Exchange 2010 > > Antivirus software and Exchange 2010 where should I put it? I am looking > at this as a performance, security balancing act. So, my thoughts are where > do you folks put it. A little poll please > > > > ____ AntiSpam outside service before my internal systems see it. > > > > ____ Email AV gateway appliance (vm or physical) (Trend, Barracuda, etc.) > > > > ____ Edge Gateway role servers > > > > ____ Hub Transport servers > > > > ____ Mailbox servers > > > > > > Personally, I think this is a bit of an all of the above type thing, but, > where would you put AV for Email. > > > > And, do you use separate brands for different spots? > > > > Thanks > > Steven Stringham > > > > > > > ________________________________ > > This message and any attachments are intended only for the use of the > individual or entity to which they are addressed. If the reader of this > message or an attachment is not the intended recipient or the employee or > agent responsible for delivering the message or attachment to the intended > recipient you are hereby notified that any dissemination, distribution or > copying of this message or any attachment is strictly prohibited. If you > have received this communication in error, please notify us immediately by > replying to the sender. The information transmitted in this message and any > attachments may be privileged, is intended only for the personal and > confidential use of the intended recipients, and is covered by the > Electronic Communications Privacy Act, 18 U.S.C. §2510-2521. > > In accordance with Internal Revenue Service Circular 230, we advise you that > if this message or any attachments contains any tax advice, such tax advice > was not intended or written to be used, and it cannot be used, by any > taxpayer for the purpose of avoiding penalties that may be imposed on the > taxpayer.
