Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)

To: [email protected]
Subject: Re: [FW-1] new virus (?)
From: "Rodriguez, Laz" <[email protected]>
Date: Mon, 10 Dec 2001 12:25:31 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Does any body know How to configure checkpoint to only allow specific email
attachments in.  Lets say (.doc, .zip, .xls)
And strip everything else.   New viruses with different attachments than the
ones outline bellow will bypass the SMTP security server and rip havoc on
our systems, and AV software companies take too long to put new virus
signatures out.

Any recommendations is greatly appreciated.


Laz Rodriguez

-----Original Message-----
From: Mark Ward [mailto:[email protected]]
Sent: Friday, December 07, 2001 10:57 AM
To: [email protected]
Subject: Re: [FW-1] new virus (?)


The virus you are seeing is the Goner virus :-
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

We use the security server and Norton Antivirus for firewalls as the CVP
server to strip email viruses or as Philip suggested just do it with the
MIME types on the security server.

Mark

----- Original Message -----
From: "Trievel, Thomas" <[email protected]>
To: <[email protected]>
Sent: Friday, December 07, 2001 3:32 PM
Subject: Re: [FW-1] new virus (?)


> I have been trying to setup the attachment blocking described below.
> When
I
> edit the object.C file and then implement the policy, the addition
> that I made to the file is deleted.  ???  Any ideas??
>
> Tom Trievel
> Amerigroup Corp
> Network Security Administrator
>
> -----Original Message-----
> From: Colmer, Philip [mailto:[email protected]]
> Sent: Wednesday, December 05, 2001 4:36 AM
> To: [email protected]
> Subject: Re: [FW-1] new virus (?)
>
>
> > We just got hit hard with emails with "Subject: Hi" and an
> > attachment named "gone.scr".  has anyone else seen this? What is the
> > procedure for blocking an email based on the subject at the
> > firewall?
>
> You cannot block based on a subject with the firewall.
>
> What you can do is create an SMTP Security Server resource and use
> that to strip out the attachments, either based on the MIME encoding
> type
(pre-SP3)
> or on the extension type (SP3 and later).
>
> To do this:
>
> 1. Create an SMTP resource. If all you are wanting to do is strip bad
> attachments, just give it a name and put the IP address of the
> destination SMTP server in. You can also use this resource to ensure
> that incoming
email
> matches your email domains - useful for preventing relaying through
> your email server.
>
> 2. Set up a rule that ensures that all email intended for your email
server
> goes against the resource. To do this, where it would normally say
> "SMTP"
as
> the service, remove this and add the resource instead. Pick SMTP and
> then pick the resource from the list.
>
> 3. Once you've set up the policy, go to the firewall. Find the
> objects.C file. Edit the file and look for the definition of the SMTP
> resource
you've
> just created. Add the following to the end of the definition:
>
> : (forbiddenfiles
>   : ("{*.scr}")
> )
>
> Save the file and re-implement the policy.
>
> What happens is that any attempt to connect to your email server for
> the purposes of SMTP gets intercepted by the firewall. It then strips
> out any attachment that has an extension that matches the list above -
> you can
have
> comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}").
>
> We've implemented the above ".scr" list for now, but we'll shortly be
> expanding it to include all of the filetypes that Outlook now blocks.
>
> Implementing this has two benefits:
>
> 1. It stops the filetypes even hitting the mail server, thus reducing
> the amount of work that the anti-virus software has to do.
>
> 2. It ensures that new viruses get stripped out, regardless of whether
> or not the AV software knows about it ... which it didn't for the new
gone.scr
> virus.
>
> Hope that helps.
>
> --Philip
>
> --
> Philip Colmer MBCS CEng                 Tel: 01223 271223
> I.T. Manager                            Fax: 01223 215513
> ProQuest Information & Learning
> The Quorum, Barnwell Road, Cambridge, CB5 8SW
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================

Prev by Date: Re: [FW-1] Installation Failure on win2000
Next by Date: [FW-1] RealSecure IDS
Previous by thread: Re: [FW-1] new virus (?)
Next by thread: Re: [FW-1] new virus (?)
Index(es):
- Date
- Thread