Educause Security Discussion mailing list archives
Re: blocking .ZIP attachments
From: Dave Koontz <dkoontz () MBC EDU>
Date: Thu, 19 Aug 2004 19:29:14 -0400
Our experience has been that most virus laden ZIP files are password protected, with the password sent either in the same email via plain textt or a JPG attachment. We have setup our system to extract and scan compressed files (zip, rar, etc.) attachments for viruses. Infected files within normail compressed files are caught and blocked. If the system is unable to uncompress the file for scanning purposes because of a password or corruption problem, we block them.. Of course you must work within the constraints of your particular software options, so if this is not possible with your software, you will likely want to "wish-list" this functionality. --- Dave Koontz Associate Director CIS Mary Baldiwin College Gary Flynn wrote:
John C Borne wrote:I apologize if this topic has been discussed before, but I couldn't find any direct mention of this specific issue recently. We have a problem with viruses penetrating the campus "under the radar" so to speak. Before a new virus is detected and the anti-virus update is written, received, and distributed, we have a window of vulnerability. In the past we have lost a considerable amount of time repairing these outbreaks. The vector for many of these infections has been through attachments especially .ZIP's. At first we were intermittently blocking .zip and other attachments; going back and forth between blocking and accepting as each new virus appeared. We found that keeping the zip's blocked had a big impact on minimizing the impact of new virii. We've gotten to the point where we cringe at the thought of unblocking .zip's and would like to make it permanent. Before I propose this to the administration, I wanted to see if anyone could comment on whether they are, or are not, blocking zip's and other attachments and if not, what other solutions they have considered.John, Our experience mirrored yours. We blocked them intermittently as circumstances dictated. Two rounds of MyDoom ago, we left them unblocked and the results convinced us to leave them blocked. They've now been blocked for several weeks and we have no plans to unblock them. I have heard of no complaints yet. That said, if our mail server software was intelligent enough to look inside the zips and just block those with executable attachments and those it can't examine we'd prefer to do that. If you're running an open source mail gateway, I think there are products able to do that. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- blocking .ZIP attachments John C Borne (Aug 19)
- <Possible follow-ups>
- Re: blocking .ZIP attachments Jason Richardson (Aug 19)
- Re: blocking .ZIP attachments Smotherman, Brian (Aug 19)
- Re: blocking .ZIP attachments Gary Flynn (Aug 19)
- Re: blocking .ZIP attachments Dave Koontz (Aug 19)
- Re: blocking .ZIP attachments Tim Lane (Aug 19)
- Re: blocking .ZIP attachments John C Borne (Aug 19)
- Re: blocking .ZIP attachments Davis, Thomas R. (Aug 20)
- Re: blocking .ZIP attachments Theresa M Rowe (Aug 20)
- Re: blocking .ZIP attachments Jim Bollinger (Aug 20)
- Re: blocking .ZIP attachments F.L.Ferreri (Aug 20)
- Re: blocking .ZIP attachments Matthew Keller (Aug 20)
- Re: blocking .ZIP attachments Cal Frye (Aug 20)
- Re: blocking .ZIP attachments Jenny Gluck (Aug 20)
- Re: blocking .ZIP attachments Michael_Maloney (Aug 20)
(Thread continues...)