See below for inline answers. > I think that this has to be one of the most HORRIBLE policies that I have > ever heard of. How difficult would it be for a new worm/virus to be > written to take advantage of this gapping wound that you have > created. For > example checking our filters for emails that got filtered for the > presence > of suspect attachment types I see quite a few with text similar to this: > --------------- > Please read the document. > > +++ Attachment: No Virus found > +++ MessageLabs AntiVirus - www.messagelabs.com > ---------------- > Of course the attachment is actually infected. Would not be to > hard for the > worm code to be modified to use the same type text found in your SAV > message and use a file name called deleted0.txt.??? with the ??? > indicating
This would not happen the hidden extension is not hidden from the SAV Gateway and would be scanned and deleted and replaced with a valid deleted0.txt. > your extention of choice. If the user does not have reveal extentions > turned on they will just see the deleted0.txt file name feel safe > (because > you trained them to feel that way) to go ahead and open the file! The day > your AV does not update or crashes or an infected file makes the rounds > that Norton has not yet updated their def's to detect you will > have created > a HUGE security issue. That is why all mail gateways should block certian types of extensions. The save gateway has many settings for handling attachments. We have ours set to just delete certian files based on the extension of the file. Also if a blocked file type is in a compressed file it will remove it from the compressed file. > > If the file is infected dump it. Sometimes I really wonder about > Norton. This feature is about as dumb as their default setting to > quarrantine infected files. If the file is infected delete it! Well you have the choice with NAV to quarantine or delete the file. > The funny > thing is that when someone changes from Norton to another vendors product > (for one that is less intrusive, uses fewer system resources and catches > more infected files) and uninstalls Norton it leaves behind it's > quarantine > folder with all the infected files in it! If the user never > thought about > ever deleting what was being "saved/archived" by Norton that can > find that > they have meg's and meg's of space being consumed by infected files. > > That would be like the next time you catch the flu you sneeze > into a glass > jar, put a lid on that jar and then set the jar on the edge of your desk. Bad visual :) > > At 05:13 PM 5/26/2004, you wrote: > >Yeah, sorry, that's what I meant to say (not thinking this morning). > > > >SAV SMTP replaces the attached with the deleted0.txt which explains what > >files was removed from the email and why. We use that. > > > >But no matter how many times you explain this to users, explain why the > >deleted0.txt is placed there, they still ring up every time they get one > >saying "I think I have a virus". > > > >Each time it's the same response: "If you open the deleted0.txt > attachment, > >it will tell you what file was removed from the email, and why. It's ok, > >that text file is quite safe to open. Yes, yes I'm sure it's > safe. Open it > >up." > > > >But, SAV for SMTP is definitely the way to go. In my opinion anyway! > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee > >Sent: Thursday, 27 May 2004 10:13 AM > >To: [EMAIL PROTECTED] > >Subject: RE: [IMail Forum] Zip attachments > > > > > > > > We do not use any of the content filtering features available > > > in IMail. It's just too time consuming to use. > > > > > > We have Symantec Antivirus for SMTP gateways, which scans all > > > ZIP files, and delete any harmful contents. If the ZIP is > > > password protected, then the gateway can not scan the > > > contents and will drop the email (a bit of a pain, but would > > > rather it drop them than allow it to pass). > > > >You can have the gateway delete the attachemnt and pass the email. We use > >SAV for SMTP gateways > > > > > > > >Kevin Bilbee > > > > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > >List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
