Re: Spyware on an SBS client and what to do?
- From: Leythos <void@xxxxxxxxxxx>
- Date: Wed, 23 Jul 2008 16:38:33 -0400
In article <eDI3EZN7IHA.5440@xxxxxxxxxxxxxxxxxxxx>,
stephen@xxxxxxxxxxxxxxx says...
Leythos wrote:
In article <#cHYt4L7IHA.4864@xxxxxxxxxxxxxxxxxxxx>,
stephen@xxxxxxxxxxxxxxx says...
I'm just back from removing this from a client's computer. The malware
came in an email pretenting to be from UPS in the form of a zipped exe.
Neither clamav nor Trend WFBSA prevented the infection although the
Trend logs showed some stuff had been found and cleaned.
A properly setup firewall would never have permitted an exe to pass
through to the users email box. A properly setup Exchange Aware anti-
malware product would never have let an exe pass to the user through
email either.
What forms of protection are you using on this server?
This server is running Trend Micro Worry Free Business Security Advanced
(the successor to CSMSS). This was a zipped exe, not a raw exe. The mail
is also pre-scanned with MailScanner (incorporates ClamAV anti-virus and
SpamAssassin anti-spyware)before it hits Exchange. ClamAV didn't pick it
up, nor did the Exchange scanner in Trend, so the infected message ended
up in the user's Junk Mail Folder. They then opened the zip attachment
and double clicked on the exe inside (file extensions were hidden so it
was not obvious to the user that this was an executable).
I would have thought that the Trend real-time scanner should have
blocked this, but it didn't, although later inspection of the Trend logs
shows that it did detect malware associated with this exe. I'm not sure
if a later update to Trend was able to detect the malware but the
pattern was not available when the user ran the program. In any case, I
am dissappointed in the performance of Trend in this instance, because
despite the protection, a deep infection occurred, which required a site
visit to fix.
We have our AV products for the firewall and even the mail security
products set to block any Zip file that is passworded and it will block
any EXE in a zip file.
If yours won't do this, then block ZIP files, period, unless sent to a
specific user account (like support@xxxxxxxxxxx) so that only someone
with access can inspect them and forward them to users.
Most AV software won't catch new malware, that's why you have to rely on
blocking file types in addition to all the other methods.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- References:
- Spyware on an SBS client and what to do?
- From: Hollis Paul
- Re: Spyware on an SBS client and what to do?
- From: stephen
- Re: Spyware on an SBS client and what to do?
- From: Leythos
- Re: Spyware on an SBS client and what to do?
- From: stephen
- Spyware on an SBS client and what to do?
- Prev by Date: Re: AntiVirus Software for SBS2003
- Next by Date: Re: Sync with Hotmail rather than Exchange, Possible?
- Previous by thread: Re: Spyware on an SBS client and what to do?
- Next by thread: Re: Spyware on an SBS client and what to do?
- Index(es):
Relevant Pages
|
