AdmiNotes by Christopher Harvey

02/25/2004 08:17:28 PM - What to do with ZIPs

What to do with ZIPs

Well, we narrowly avoided Netsky.c today. I updated McAfee dats at 3:45 and by 4:30 we had blocked 75 inbound messages with Netsky.c. So, we were minutes from receiving messages that our users would not have been protected by accept that we also had a rule to block all ZIP files like I mentioned yesterday.

I was really leaning towards the "let ZIPs through and let the anti-virus tool do it's job" approach. But, when I stop to think about it, we block all executables as an 'added precaution' even though the anti-virus software is there. So, now it looks like blocking ZIPs may be a good idea too; and that's a real shame. ZIP files in an email are a really useful way to move data around.

Not just for McAfee users: I have made one tweak to how we are blocking the attachments. I am blocking ZIPs with a server side mail rule in the Server Configuration document. That rule sends them off to a quarantine database. This is better than letting McAfee quarantine all ZIPs because:

McAfee's quarantine doesn't allow me to copy and paste the message to the user's Inbox for retrieval
McAfee's extension block happens prior to virus blocking (which is more efficient) but then all emails with a ZIP file end up in the same bucket. By blocking attachments with a rule, known viruses are still blocked by McAfee and whatever gets through (which is a much smaller number) can be examined individually in a separate place.
By letting McAfee's virus detection stop the virus (instead of by extension) I get a good count of the viruses that are being stopped by type, and not just what attachments are blocked not knowing which viruses they may or may not be associated with.

So, how does this compare to other products. If you use something else to block viruses on your Domino server, what do you really like about how it works?

Comments

Comment posted by Jerry Carter02/26/2004 08:46:29 AM

Hey Chris, just as an aside, we DID get Netsky.c here yesterday and everybody's machine (mostly) was busy resending virus payloads to everyone else inside and outside the company... except mine. I'd applied the MS patch that came out two weeks back, and the desktop group hadn't pushed it to everyone's machines yet... no excuse for that really.

Yeah, that is a shame - pretty much cripples email as a data exchange tool as I think most people assume zips are a 'safe' way to send exe's when they need to... not to mention all the JPG heavy power point presentations.

Blocked Response!05/18/2006 01:13:55 AM

This response from IP Address 210.183.16.200 was blocked by the owner of this blog.

Blocked Response!05/18/2006 01:14:11 AM

This response from IP Address 218.38.165.177 was blocked by the owner of this blog.

Blocked Response!05/18/2006 01:14:22 AM

This response from IP Address 220.133.84.18 was blocked by the owner of this blog.

Blocked Response!07/26/2006 06:04:49 AM

This response from IP Address 130.158.43.3 was blocked by the owner of this blog.

Blocked Response!07/26/2006 06:08:16 AM

This response from IP Address 201.243.234.186 was blocked by the owner of this blog.

Blocked Response!07/26/2006 06:09:33 AM

This response from IP Address 220.57.20.115 was blocked by the owner of this blog.

Blocked Response!08/09/2006 12:15:33 PM

This response from IP Address 24.132.177.29 was blocked by the owner of this blog.

Blocked Response!01/08/2007 04:44:08 AM

This response from IP Address 68.32.54.83 was blocked by the owner of this blog.

Blocked Response!01/16/2007 09:48:49 AM

This response from IP Address 207.245.84.70 was blocked by the owner of this blog.

Blocked Response!05/24/2007 02:08:22 AM

This response from IP Address 81.177.22.111 was blocked by the owner of this blog.

Blocked Response!05/31/2007 02:09:14 AM

This response from IP Address 81.177.22.111 was blocked by the owner of this blog.

Blocked Response!06/01/2007 04:54:23 PM

This response from IP Address 217.122.172.112 was blocked by the owner of this blog.

Blocked Response!06/03/2007 05:26:12 PM

This response from IP Address 85.225.145.99 was blocked by the owner of this blog.

Blocked Response!06/05/2007 01:00:30 AM

This response from IP Address 69.148.70.124 was blocked by the owner of this blog.

Blocked Response!06/07/2007 06:07:00 AM

This response from IP Address 82.83.177.146 was blocked by the owner of this blog.

Blocked Response!06/08/2007 04:57:47 AM

This response from IP Address 210.131.4.167 was blocked by the owner of this blog.

Blocked Response!06/16/2007 02:21:38 AM

This response from IP Address 64.207.49.240 was blocked by the owner of this blog.

Blocked Response!06/16/2007 02:24:06 AM

This response from IP Address 68.230.58.225 was blocked by the owner of this blog.

Blocked Response!06/17/2007 07:45:55 AM

This response from IP Address 96.2.130.154 was blocked by the owner of this blog.

Blocked Response!06/17/2007 07:46:04 AM

This response from IP Address 96.2.130.154 was blocked by the owner of this blog.

Blocked Response!06/17/2007 07:46:35 AM

This response from IP Address 125.178.8.199 was blocked by the owner of this blog.

Blocked Response!06/28/2007 06:31:44 PM

This response from IP Address 86.122.195.5 was blocked by the owner of this blog.

Blocked Response!07/11/2007 06:46:14 AM

This response from IP Address 221.241.160.111 was blocked by the owner of this blog.

Blocked Response!07/25/2007 07:52:10 PM

This response from IP Address 72.44.58.145 was blocked by the owner of this blog.

Blocked Response!09/28/2007 02:51:47 PM

This response from IP Address 72.44.50.125 was blocked by the owner of this blog.

Blocked Response!11/11/2007 05:58:53 PM

This response from IP Address 195.225.178.14 was blocked by the owner of this blog.

Blocked Response!11/11/2007 10:39:44 PM

This response from IP Address 85.124.22.177 was blocked by the owner of this blog.

Blocked Response!11/26/2007 11:53:18 AM

This response from IP Address 194.110.161.14 was blocked by the owner of this blog.

Blocked Response!02/11/2008 12:39:05 PM

This response from IP Address 195.225.178.27 was blocked by the owner of this blog.

Blocked Response!03/04/2008 07:40:45 PM

This response from IP Address 58.242.217.178 was blocked by the owner of this blog.

Blocked Response!03/04/2008 07:42:19 PM

This response from IP Address 58.242.217.178 was blocked by the owner of this blog.

Blocked Response!03/12/2008 01:40:18 AM

This response from IP Address 58.242.218.229 was blocked by the owner of this blog.

Blocked Response!03/17/2008 04:28:49 AM

This response from IP Address 58.242.206.111 was blocked by the owner of this blog.

Blocked Response!03/19/2008 04:10:03 AM

This response from IP Address 123.236.76.126 was blocked by the owner of this blog.

Blocked Response!03/21/2008 01:11:18 PM

This response from IP Address 200.29.96.75 was blocked by the owner of this blog.

Blocked Response!03/24/2008 11:37:18 PM

This response from IP Address 58.56.7.164 was blocked by the owner of this blog.

Blocked Response!05/15/2008 05:24:39 AM

This response from IP Address 89.149.244.45 was blocked by the owner of this blog.

Blocked Response!06/18/2008 09:28:31 PM

This response from IP Address 195.225.178.38 was blocked by the owner of this blog.

Blocked Response!06/25/2008 10:51:36 PM

This response from IP Address 87.248.169.14 was blocked by the owner of this blog.

Blocked Response!08/09/2008 01:05:54 PM

This response from IP Address 124.5.122.175 was blocked by the owner of this blog.

Blocked Response!08/16/2008 06:59:03 AM

This response from IP Address 192.115.90.150 was blocked by the owner of this blog.

Blocked Response!08/16/2008 06:59:15 AM

This response from IP Address 194.120.231.244 was blocked by the owner of this blog.

Blocked Response!09/17/2008 12:22:12 PM