On Wed, 2004-03-03 at 07:17, CertaintyTech-Ed wrote: > Anyone else seeing the Bagle-H virus getting thru? I am using Q-S and > sophie and it is not stopping them. Sophie sees that the ZIP file is > password encrypted so can't check it for viruses and Q-S goes ahead and > passes it thru. Does anyone know of any way to catch this one? For now > I am blocking all ZIP attachments...
Please let me know when you find ANY e-mail AV system that can catch this virus... i.e. I don't think so. I know there's one that "catches" it by looking at the content of the text part of the message - before the actual zip attachment - but that doesn't really count.
uvscan (mcafee) does complain via text output that the
zip contents "is password-protected" when --secure is specified.
It could be that qmail-scanner could be modified to
take action based on the text in this type of output (which can be logged via
debug to the log file). Sites could configure according to active policies - and
treat such a message as equivalent to being a virus if need be.
John
Password protected zip files - and people still get infected! When will the naivety end?
This is why we have the phrase "defense in depth". Run e-mail AV systems to get rid of 99% of your viruses, but you still need to run nightly scans over old e-mails (to catch the Day Zeros that got through earlier), and you definitely still need to run AV on workstations (which would catch this particular one - as once the user unlocks the virus, their AV can detect it).
Obviously such a luxury is appropriate for corporations, but is impossible to mandate for ISPs/etc...
Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
