I am also blocking *.com on our SMTP Scan Job for Antigen but this attachment slipped by. Luckily the user who got suspected something and called us. I have updated the virus engines running on our Antigen but I am curious why the attachment blocking didn't work? Any IDEAS?
Saul > This one slipped by our *.com file matching as well... actually it's been a > little hit and miss... some were caught but others were not stopped until we > installed the defnition file--We're running Antigen with the Norman def. > I'm still seeing weird stuff.... some seem to be getting through he IMC scan > and making it to the store and getting disinfected there. That's the first > time I've ever seen that. Very odd indeed. Most that are being caught are > by the virus definition--because generally we just get the *.com type block > message. Wonder what's going on here. > > Fortunately we run something different on the desktop--and it had updated > through the night. > > Josh Harmon > > > -----Original Message----- > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 8:20 AM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Somehow this one slipped past our .com filter on our linux firewall. NAV > for exchange caught it by the .COM extension, and norton had just > liveupdated us an hour earlier with the new definitions that would have > caught it if it wasn't a blocked extension. I think the syntax of the > attachment code is probably not RFC compliant. > > Tom > > -----Original Message----- > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 9:03 AM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Fortunately we're all blocking *.com right? The *.com viruses are going to > take forever to combat from a social engineering standpoint. It's probably > worth investing some time in user education on .com files because I think > this is going to be a new favorite virus writing style for the next few > months. > > Chris Scharff > The Mail Resource Center > http://www.mail-resources.com > > -----Original Message----- > From: Martin Blackstone > To: Exchange Discussions > Sent: 1/28/2002 7:57 AM > Subject: FW: Alert: W32/Myparty-mm on the loose > > > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 5:45 AM > To: [EMAIL PROTECTED] > Subject: Alert: W32/Myparty-mm on the loose > > > Be aware that this morning you will likely find a copy of this new mass > mailer in your mail systems. This is a pure social engineering attack, it > contains an attachment named as a URL with a .com extension. Since .com is > also an application, it will be run as such if its double-clicked on. Check > with your AV company for updates and/or filtering criteria. If you can, be > sure you have attachment filtering enabled at your mail gateway. Outlook > Email Security Update, and Outlook 2002, both catch this attachment and > prevent it from being available for the user to click on. > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
