Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)

To: [email protected]
Subject: Re: [FW-1] new virus (?)
From: Damian Jaume <[email protected]>
Date: Mon, 10 Dec 2001 16:04:37 -0300
Importance: Normal
In-reply-to: <99D00E9A90CDD946BED152120FBDDFC84638D1@ACCVBBDC0001.amerigroupcorp.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Try this to change the objects.c file, I did the changes to strip *.scr
files and it worked.

In order to make changes to objects.C, the following steps are recommended:

1. Use ps -awux|grep fwm to see how the fwm daemon is running. Use `fw kill
fwm` to terminate the FireWall-1 management daemon.

2. Delete objects.C.sav and objects.C.bak to insure FireWall-1 doesn't
replace your changes with these files. It will if they have a more recent
timestamp than your current objects.C.

3. Make the suggested change. Most of these changes occur in the ":props"
section of the file. There are some new 4.1 SP4 Encryption properties which
are applied to host or gateway objects.

4. Restart the fwm daemon the same way as it was running before.

5. Push policy to your firewall module(s).

Optionally, you could instead kill the 'fwm' process and restart it instead
of bouncing FireWall-1, however the only sure-fire way to make sure the
changes stick is to stop FireWall-1 entirely.



-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:[email protected]]En nombre de
Trievel, Thomas
Enviado el: viernes, 07 de diciembre de 2001 12:33
Para: [email protected]
Asunto: Re: [FW-1] new virus (?)


I have been trying to setup the attachment blocking described below.  When I
edit the object.C file and then implement the policy, the addition that I
made to the file is deleted.  ???  Any ideas??

Tom Trievel
Amerigroup Corp
Network Security Administrator

-----Original Message-----
From: Colmer, Philip [mailto:[email protected]]
Sent: Wednesday, December 05, 2001 4:36 AM
To: [email protected]
Subject: Re: [FW-1] new virus (?)


> We just got hit hard with emails with "Subject: Hi" and an
> attachment named "gone.scr".  has anyone else seen this?
> What is the procedure for blocking an email based on the
> subject at the firewall?

You cannot block based on a subject with the firewall.

What you can do is create an SMTP Security Server resource and use that to
strip out the attachments, either based on the MIME encoding type (pre-SP3)
or on the extension type (SP3 and later).

To do this:

1. Create an SMTP resource. If all you are wanting to do is strip bad
attachments, just give it a name and put the IP address of the destination
SMTP server in. You can also use this resource to ensure that incoming email
matches your email domains - useful for preventing relaying through your
email server.

2. Set up a rule that ensures that all email intended for your email server
goes against the resource. To do this, where it would normally say "SMTP" as
the service, remove this and add the resource instead. Pick SMTP and then
pick the resource from the list.

3. Once you've set up the policy, go to the firewall. Find the objects.C
file. Edit the file and look for the definition of the SMTP resource you've
just created. Add the following to the end of the definition:

: (forbiddenfiles
  : ("{*.scr}")
)

Save the file and re-implement the policy.

What happens is that any attempt to connect to your email server for the
purposes of SMTP gets intercepted by the firewall. It then strips out any
attachment that has an extension that matches the list above - you can have
comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}").

We've implemented the above ".scr" list for now, but we'll shortly be
expanding it to include all of the filetypes that Outlook now blocks.

Implementing this has two benefits:

1. It stops the filetypes even hitting the mail server, thus reducing the
amount of work that the anti-virus software has to do.

2. It ensures that new viruses get stripped out, regardless of whether or
not the AV software knows about it ... which it didn't for the new gone.scr
virus.

Hope that helps.

--Philip

--
Philip Colmer MBCS CEng                 Tel: 01223 271223
I.T. Manager                            Fax: 01223 215513
ProQuest Information & Learning
The Quorum, Barnwell Road, Cambridge, CB5 8SW

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================

References:
- Re: [FW-1] new virus (?)
  - From: "Trievel, Thomas" <[email protected]>

Prev by Date: [FW-1] Réf. : [FW-1] RealSecure IDS
Next by Date: [FW-1] upgrade 4.0 -> 4.1 & separate management module
Previous by thread: Re: [FW-1] new virus (?)
Next by thread: Re: [FW-1] new virus (?)
Index(es):
- Date
- Thread