[Mimedefang] base64-encoded vbscript .hta file withself-extracting embeddedvirus

[Lucas Albers]

Matthew.van.Eerde at hbinc.com said:

> About the only thing I can think of is to allow an option to quarantine
> any
> encrypted contents of an attached archive.

I covered this item a few months ago, including how to detect encrypted
files in uvscan.
Virus's are similar to biological creatures, they need to minimize the
effort to spread, requiring decryption with password will slow spread.
Currently encrytption does nto add much to the spread of a virus.
Any virus as Big D says, can be polymorphic in theory.

Along those lines, it is just a matter of time until a 0day virus comes
along and kicks you in the teeth, hard.

Imo you need to prepare for that day, by scanning with multiple virus
scanners, greylisting to reject zombie dsl's, and block all the standard
attachment types.

It is just a matter of time until a virus slips by before your virus def's
update, and they only way to block that for sure is to block extensions.
When a virus hits it hits in a wave of infections, suddenly you have
hundreds per day....

The 9th rule of security and most important is to minimize access, if they
don't need those file extensions then block them.
As Big D says, some customers just block extensions and dont' virus scan,
and they have exactly 0 infections.

So this new bagle virus hit, by buddy didn't get it because his virus
def's didn't update, I blocked it because I blocked that extension, and he
relied solely on the virus scanner.
<brag mode on>
Actually I only got 2 of them because I reject on invalid hostname on the
helo string...so it did not even hit my virus scanner.
</brag mode off>

Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana