Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)

To: [email protected]
Subject: Re: [FW-1] new virus (?)
From: Mark Ward <[email protected]>
Date: Fri, 7 Dec 2001 15:56:58 -0000
References: <99D00E9A90CDD946BED152120FBDDFC84638D1@ACCVBBDC0001.amerigroupcorp.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

The virus you are seeing is the Goner virus :-
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

We use the security server and Norton Antivirus for firewalls as the CVP
server to strip email viruses or as Philip suggested just do it with the
MIME types on the security server.

Mark

----- Original Message -----
From: "Trievel, Thomas" <[email protected]>
To: <[email protected]>
Sent: Friday, December 07, 2001 3:32 PM
Subject: Re: [FW-1] new virus (?)


> I have been trying to setup the attachment blocking described below.  When
I
> edit the object.C file and then implement the policy, the addition that I
> made to the file is deleted.  ???  Any ideas??
>
> Tom Trievel
> Amerigroup Corp
> Network Security Administrator
>
> -----Original Message-----
> From: Colmer, Philip [mailto:[email protected]]
> Sent: Wednesday, December 05, 2001 4:36 AM
> To: [email protected]
> Subject: Re: [FW-1] new virus (?)
>
>
> > We just got hit hard with emails with "Subject: Hi" and an
> > attachment named "gone.scr".  has anyone else seen this?
> > What is the procedure for blocking an email based on the
> > subject at the firewall?
>
> You cannot block based on a subject with the firewall.
>
> What you can do is create an SMTP Security Server resource and use that to
> strip out the attachments, either based on the MIME encoding type
(pre-SP3)
> or on the extension type (SP3 and later).
>
> To do this:
>
> 1. Create an SMTP resource. If all you are wanting to do is strip bad
> attachments, just give it a name and put the IP address of the destination
> SMTP server in. You can also use this resource to ensure that incoming
email
> matches your email domains - useful for preventing relaying through your
> email server.
>
> 2. Set up a rule that ensures that all email intended for your email
server
> goes against the resource. To do this, where it would normally say "SMTP"
as
> the service, remove this and add the resource instead. Pick SMTP and then
> pick the resource from the list.
>
> 3. Once you've set up the policy, go to the firewall. Find the objects.C
> file. Edit the file and look for the definition of the SMTP resource
you've
> just created. Add the following to the end of the definition:
>
> : (forbiddenfiles
>   : ("{*.scr}")
> )
>
> Save the file and re-implement the policy.
>
> What happens is that any attempt to connect to your email server for the
> purposes of SMTP gets intercepted by the firewall. It then strips out any
> attachment that has an extension that matches the list above - you can
have
> comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}").
>
> We've implemented the above ".scr" list for now, but we'll shortly be
> expanding it to include all of the filetypes that Outlook now blocks.
>
> Implementing this has two benefits:
>
> 1. It stops the filetypes even hitting the mail server, thus reducing the
> amount of work that the anti-virus software has to do.
>
> 2. It ensures that new viruses get stripped out, regardless of whether or
> not the AV software knows about it ... which it didn't for the new
gone.scr
> virus.
>
> Hope that helps.
>
> --Philip
>
> --
> Philip Colmer MBCS CEng                 Tel: 01223 271223
> I.T. Manager                            Fax: 01223 215513
> ProQuest Information & Learning
> The Quorum, Barnwell Road, Cambridge, CB5 8SW
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

References:
- Re: [FW-1] new virus (?)
  - From: "Trievel, Thomas" <[email protected]>

Prev by Date: Re: [FW-1] Log files
Next by Date: Re: [FW-1] Log files
Previous by thread: Re: [FW-1] new virus (?)
Next by thread: Re: [FW-1] new virus (?)
Index(es):
- Date
- Thread