Skip to main content

News Article "GFI warns one anti-virus engine is not en

More
18 years 1 month ago #17349 by Smurf
Just thought i would expand on this a little in respect to Mail Scanning.

We are speaking with some guys from a rather large company on our gateway e-mail scanning when one of them pointed out something really interesting (which we are looking to adopt).

They said, if your organisation has a attachment policy that only allows a selected number of files and everything else is blocked, you can be fairly sure that most viruses/worms would never reach your internal network. They also said that if you applied this filter before any virus scanning was taken place, the virus engine wouldn't really be doing much.

So, if you have a policy that only allowed "Word, Excel, Powerpoint" for example and blocked everything else you would stop a vast amount of viruses from being sent. Obviously you would still scan to capture any Word Macro Viruses, etc... but it all helps to protect your network.

As for at the desktop, a more defense in depth aproach is currently the buzz word thats going around. You block nasties at your firewall, filtering E-Mail and Internet as products such as Websense will stop a lot of the malware on its way out, IDS/IPS to stop nasty traffic, HIDS and finally Viruse scanning as the last line of defense if it gets that far.

With the HIDS on there, it should stop the majority of dodgy stuff from even running on the machine.

I do agree though that multiple scanning engines on the gateway but is it not over kill to do this on the host ? I would say so.

Anyone else any thoughts on this ?

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17356 by Starfire
Nice ideas Smurf but two things..

Only allowing office attachements in would have you IT Manager's phone ringing off the hook with complaints from users trying to bring down zips, pdfs, etc. Our job at the end of the day is to help the users do their job, nothing more. These sorts of files are becoming more prevalent in transmissions these days with users bringing down things like large datasets or manuals needed for their work.

We've tried lots of tactics to help secure what can and can't come down and the users just find ways around them by just getting the sender to rename the attachement with a .doc extension or some such totally bypassing what we are trying to achieve.

Desktop lockdowns also just infuriate them and in a lot of instances I have been ordered to remove them from PCs by the manager who's just had his ear chewed off by a director from some department or other. One guy once jumped on my manager then my director and finally on the chief exec about me personally after I locked down his PC and fitted security screws after he adjusted the dip switches on his graphics card in an attempt to make his programs run faster ... /boggle.

Apart from up to date antivirus and updates/patches and a good network security policy and all the usual things, the best defence we can give is education for internal protection and trying to explain just what can happen as a user is browsing dodgy websites or when they are bored and just in a daze on a Friday afternoon opening emails just to pass the time.

The amount of times I have had users complaining that their email is constantly getting spammed or popups keep appearing on their PCs and they are demanding to know why and I have to bite my lip and stop myself from saying "Because your a dumba $$! - you brought it on yourself through your lack of knowledge - This isn't star trek ya know!"

In short, the best internal network defence is an educated workforce.
More
18 years 1 month ago #17357 by Smurf

Only allowing office attachements in would have you IT Manager's phone ringing off the hook with complaints from users trying to bring down zips, pdfs, etc.


Sorry Starfire, only allowing office attachmets was just an example, i didn't want to list everything for this discussion. The review of our email policy i am currently undertaking is things like (office docs, works docs, txt files, picture files, pdfs, etc...). Basically, everything that is business critical and block everything else. Instead of doing it the otherway around as you never know what extra stuff may be added which can transmit viral code.

We've tried lots of tactics to help secure what can and can't come down and the users just find ways around them by just getting the sender to rename the attachement with a .doc extension or some such totally bypassing what we are trying to achieve.


I would hope a better e-mail scanner was configured that actually checked the mime type corresponded to the file attachment extension and blocked if anyone tried that trick. Basic practise now i thought ?

Desktop lockdowns also just infuriate them and in a lot of instances I have been ordered to remove them from PCs by the manager who's just had his ear chewed off by a director from some department or other. One guy once jumped on my manager then my director and finally on the chief exec about me personally after I locked down his PC and fitted security screws after he adjusted the dip switches on his graphics card in an attempt to make his programs run faster ... /boggle.


This is a very interesting one. In our environment we dont have an SLA or anything like that to our service users. Infact, once we have configured the machines they can do pretty much what they like to them because they own the machine. A work collegue who works in another environment works differently. They do lock the desktops down completely which is part of their security policy. The reason for this is that there is a SLA against the company who provides the support contract and harsh penalties are imposed if things were not fixed appropriately. Basically, they want to lock the machine down so people cannot break anything, any changes can be made but a change request has to be made to do this. Also, from a legal point of view. they want to ensure that no illegal software is installed because the security administrator would be liable in that case so they want to make sure that no software can be installed. Also, if attack traffic is detected coming from your external ip address, you can again be liable.

Apart from up to date antivirus and updates/patches and a good network security policy and all the usual things, the best defence we can give is education for internal protection and trying to explain just what can happen as a user is browsing dodgy websites or when they are bored and just in a daze on a Friday afternoon opening emails just to pass the time.


In short, the best internal network defence is an educated workforce.


I agree totally. A lot of the work that goes on in the security areas is lacking in basic education of the workforce. However, a defence in depth strategy cannot be overlooked. This also includes patch management. When the Blaster viruse hit, users would not have been to blame for that spreading as it did. Machines not being at the correct patch level was a major reason this worm spread as it did, no amount of education on that would have made a difference. If however some HIDS was installed locally to lock down the types of activity that was required for the Worm to take hold of the machine, the network would have been more protected.

Lol, turned into an essay, hehe. Definately lots of people have different angles on all this, whats anyone elses views or comments on this ?

Cheers and thanks for taking the time to share your views

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.138 seconds