Drew Wutka
dbatech at wolfwares.com
Mon Sep 1 02:21:43 CDT 2003
I think I got this late, due to recent power failures, my mail server has been off and on a bit, so messages have been delayed a bit. Here's my perspective, I am going to break it into work and home. Work: At work, we have a network of about 150 to 200 computers. We have a T1 (and backup T1), which is connected through a router that has firewall capabilities. That is our firewall. It's fast and efficient, though I have never touched it, other then to turn it off/on. My co-worker has spent a lot of time and effort in understanding and programing that thing, so I stay clear. That is our internet protection, against hacker access. As far as viruses go, we use three TrendMicro products. ScanMail, ServerProtect and OfficeScan. We started with ScanMail. Back when the ILOVEYOU Virus was floating around, our current network admin/exchange admin was tasked with getting some sort of virus protection for our Exchange server. He failed to do so, and a few months after the virus was talking about on CNN, we were hit with a variation of that virus. It tore the heck out of our mail systems. At the time I was relatively new to the company, but I new far more about Exchange then the admin, simply because I was very comfortable around MS software, and I knew quite a bit about databases. In fact, the Exchange Admin didn't have a freakin clue about how to handle the virus situation. I took over (and thus 'became' the Exchange Admin). I did a search on the net for Exchange anti-virus packages. What I was specifically looking for was something that not only scanned emails as mail came in and out, but also one that would scan individual mailboxes. ScanMail fit the bill. I was able to download a demo package, that would run for 30 days. It did a superb job of taking care of our virus. For the next few months, we watched for virus alerts. Everytime a virus was announced, we found it on Trend's site immediately. The other big guys, like MacAffee and Norton were a toss up, so we felt that we made a good (lucky) decision with Trend Micro. Since we have used ScanMail, we have only had ONE virus get through (literally one, one copy). It was a virus that came through the MIME media file attachment, which forces Media player to play. As soon as we knew about that virus, we ran an immediate update on ScanMail, and it updated the engine to catch that type of attachment too. Now, to make ScanMail effective, we do not allow ANY attachment through that can be run immediately. ScanMail is then extremly effective. Since any file extension that can be immediately run is blocked, and Scanmail catches everything in it's pattern (and it goes several layers deep into Zip files (you can set it, the default is 5 layers), we are virtually immune to email viruses. It catches email coming in, going out, and internal email. Highly effective. It is also pretty light weight. I have never noticed extereme server usage by ScanMail. In fact, after the initial setup, and a few tweaks, I RARELY go into ScanMail's control panel, because it just keeps chugging. I found the outgoing scan to be pretty important, since we don't want an infected user sending viruses out of the company either. (With that ILOVEYOU virus, we contacted as many people as we could, that we sent them a virus.) A few months after that we had another virus issue. It was a Word Doc virus. An HR person had brought their girlfriend's resume in on a floppy, and that resume contained a virus. Thus, every word document he opened was infected, and it began to spread pretty quick. So again we looked to Trend. ServerProtect was their server based enterprise package. We installed a Trail version, and it immediately handled our Word virus issue. It allows for manual scans, auto scans, and I/O scans. An I/O scan reads everything written and read from/to a server. It is amazingly lite weight. Once installed to our File Servers, we noticed NO difference in file retrieval speeds. It's an enterprise package, so we actually installed it to one server, and then we told it what servers we wanted protected, and it installed itself on those machines. Those machines can then be collectively managed from one point. Only issue we have ever had with ServerProtect is that we have an NT4 machine which is a Dec Alpha, and ServerProtect is no longer supported on Dec Alpha. (So we mapped it's drives to one of the other servers, and we have those mapped drives scanned nightly. Not as protective as I/O, but it works...). The last peice of virus protection wasn't prompted by a virus. I fought tooth and nail to get it, because our biggest vulnerability after ScanMail and ServerProtect was our individual machines. We finally bought OfficeScan close to a year ago. OfficeScan is Trend's enterprise level desktop protection. It's pretty slick too. It can be file based, or web based, we chose to go the web based method. With this method, clients can be installed and updated from the web. It can also 'remotely' install on NT machines. The Admin web page allows for controlling remote machines (scanning, updating, installing, etc.), and it also offers reporting on a network wide basis. Last week we were hit by WORM_MSBLAST.D. What we discovered was that OfficeScan clients weren't updating, their patterns were the original ones that were installed. I figured out and fixed that problem on Thursday. I just had to map a virtual drive on the webserver, because the clients were looking for a URL that didn't exist. If we would have found and fixed that issue earlier, we would have had no problems with that virus. OfficeScan also password protects the client machines, so clients cannot stop or uninstall it without the Admin password. One last thing, ScanMail can also be purchased as a version that has eManager. (We should have bought the original that way, but didn't). eManager is a Spam handler, and it works well as far as spam goes. I highly recommend Trend products, because we have had little to no problem with them (other then this recent issue, which was mostly our fault for not verifying updates). They are priced fine, and they do have a maintenance price, on a yearly basis. It's reasonable, and should be the same or less then the other big packages. Another item of note, is that before we began using Trend products, we had MacAffee installed on our clients. It was atrocious. Patterns were a pain to update, and more importantly, MacAffee interfered with legitimate computer stuff more then it protected from viruses. With Trend's products, we have had no such difficulties, other then an odd ActiveX issue for a yellow pages package on our Intranet. (Which we have resolved....within a few hours of knowing about the issue). Hope this helps. Drew -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Steven W. Erbach Sent: Tuesday, August 26, 2003 3:50 PM To: dba-Tech at databaseadvisors.com Subject: [dba-Tech] Security measures Dear Group, Computer security grabbed the headlines over the last two weeks. I've been steadily adding to a Favorites list of security-related web sites, but my own understanding of the issues in computer and Internet security is limited to what I read and what I've done on the PCs in my home office. I have two main questions: 1) What resources do you turn to for security information -- books, magazines, web sites, etc.? 2) What things have you done on your own PCs to battle the forces of darkness? Software (anti-virus, password encryption, firewalls) or hardware (routers, proxy servers, firewalls, etc.). 2a) What was it about these products that recommended themselves to you? Thank you for your input in advance. I've found myself answering questions about security that I'm not too sure about. That's why I'm asking you here. Regards, Steve Erbach Scientific Marketing Neenah, WI If architects built buildings the way programmers built applications, the first woodpecker to come along would cause the end of civilization. _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com