[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Re: Executable Attachments

----- Original Message ----- 
From: "David A. Wheeler" <dwheeler at dwheeler.com>
To: <asrg at ietf.org>
Sent: Thursday, July 22, 2004 3:55 PM
Subject: [Asrg] Re: Executable Attachments


"George Ou" <george_ou at netzero.com> replied:
> I'll leave it at that since we technically agree.  I don't have a problem
> with telling people to block all executable content by default unless they
> have a comprehensive anti-virus infrastructure in place.  I just think
that
> you should not have propogated the idea that anti-virus don't work when in
> fact they do when implemented properly.

>This is a dicey claim.  Most of today's anti-virus
products are primarily signature-based; they can only detect old viruses.
They can't detect most new ones when they're first released. So while you're
protected from old ones, you're still vulnerable to each
new attack.  And that assumes that you keep your anti-virus
up-to-date organization-wide, including home systems.
That includes a vanishingly small list of organizations;
I can't think of any offhand.

Nothing dicey about it.  In our environment, a good gateway level signature
based solution has been extremely effective.  Only a minor "day-zero"
outbreak in 3 years that was contained within 1 hour as soon as the SMTP
gateway and Exchange server received new definition files.  I don't know how
many more times I have to say this, but gateway level solutions don't care
if the end-users are running up to date definition files or if they are not
running anti-virus at all.  I can't believe we're still even debating this
technology in 2004.  It's been working extremely well since 2000.  This is
exactly why you never see any virus attachments from a MSN or Yahoo account
since they do gateway level scanning.

The bottom line is, there are 2 main issues that create the zombie problem
and there are 2 simple and effective solutions.

Cause:
1.  Windows computers connected to broadband without any inbound firewall
protection.
2.  Email Virus attachments

Solution:
1.  Qurantine Windows machines from Internet Access until the user enables
their WinXP firewall or download a free inbound firewall for whatever
version of Windows they're running.  This doesn't pertain to people who
already have HW/SW firewalls or a simple NAT router.  This doesnt' pertain
to people not running Windows.

2.  Implement ISP and Organizational level gateway anti-virus for HTTP, FTP,
and SMTP for all known malware signatures.


For the near term future, install Windows XP SP2.  For the long term future,
implement strict Authenticode policies.

I don't know why some of the non-windows users here would freak out from
these proposals, it doesn't affect them in any way except free up bandwidth.

George Ou


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg