Security Incidents mailing list archives
Re: Novarg - Stopping .Zip Files
From: Bill Pennington <billp () boarder org>
Date: Wed, 28 Jan 2004 10:28:49 -0800
IPS? I would recommend handling this at the mail server. No need for a IPS system.
I know Postfix/Sendmail/procmail all allow you to do this. I would assume Exchange server (or and add-on product like Tumbleweed) has the ability to drop e-mails based on attachment type.
On Jan 28, 2004, at 8:53 AM, Tom Milliner wrote:
Could someone tell me if there is an IPS solution which could be quickly programmed to stop .zip files? I wish we could have stopped .zip files long enough for our anti-virus program to get its updates. Tom Milliner, CPA, MCSE Director of Information Services Greater Dallas Assc of Realtors 8201 N. Stemmons Frwy Dallas, TX 75247 www.gdar.org mail to: milliner () gdar org (214) 540-2741 -----Original Message----- From: sloppy seconds [mailto:beleguese () yahoo com] Sent: Tuesday, January 27, 2004 10:32 PM To: incidents () securityfocus com Subject: Novarg To all, Yes as many of you have noticed Novarg is spreading fast. I work for a large international corporation and we have seen extensive infiltration. However, this worm has not proved to be as "damaging" as some may claim. The scary part is that our investment in AV solutions (Trend, Symantec, et al...) has not protected us. We are now reconsidering our stance on allowing .ZIP files in Email. We engineered our own cleaning utility hours before our AV vendors even had signatures. Infecting lab clients and using diff tools...etcFrom a network perspective we are watching for thesupposed DOS against SCO. We have had the outbreak under control just a few hours after it's inception. Anyone care to contribute their experience? Thanks, Beleguese __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/----------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---- ----------------------------------------------------------------------- -----
--- Bill Pennington, CISSP, CCNA Chief Technology Officer WhiteHat Security Inc. http://www.whitehatsec.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Novarg, (continued)
- Re: Novarg Greg A. Woods (Jan 28)
- Re: Novarg Jonathan A. Zdziarski (Jan 28)
- best defense (was: Re: Novarg Meritt James (Jan 29)
- Re: best defense (was: Re: Novarg Greg A. Woods (Jan 30)
- Re: Novarg Matt Curtin (Jan 30)
- Re: Novarg Greg A. Woods (Jan 28)
- Re: Novarg Matt Curtin (Jan 29)
- RE: Novarg - Stopping .Zip Files Tom Milliner (Jan 28)
- Re: Novarg - Stopping .Zip Files Keith W. McCammon (Jan 28)
- Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- RE: Novarg - Stopping .Zip Files jamesworld (Jan 28)
- Re: Novarg - Stopping .Zip Files Bill Pennington (Jan 28)
- RE: Novarg - Stopping .Zip Files Timmothy Posey (Jan 30)
- Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- Re: Novarg - Stopping .Zip Files Keith W. McCammon (Jan 28)
- Re: Novarg Dave Laird (Jan 28)
- RE: Novarg Wayne S. Ackley (Jan 28)
- Re: Novarg James Riden (Jan 28)
- RE: Novarg Chris Aguilar (Jan 28)
- RE: Novarg Jeremy Strachan (Jan 28)
- RE: Novarg Stephen Warren (Jan 29)
- Re: Novarg Robin Sheat (Jan 30)
- RE: Novarg steve bernacki (Jan 30)
- RE: Novarg Stephen Warren (Jan 29)