[Avcheck] AVP and I-Worm.Nimda
Michael Tokarev
mjt@tls.msk.ru
Wed, 10 Oct 2001 14:13:41 +0400
Robert Dalton wrote:
>
> Hello,
>
> Just curious has anyone blocked a single instance of
>
> I-Worm.Nimda with Avpdaemon or kavdaemon ?
>
> It seems a little odd that I haven't seen a single instance of
> this worm blocked. Im just curious if for some reason
> that kavdaemon isn't blocking this correctly ?
No, it blocks nimda -- starting about a hour after nimda was
first discovered "by public". One of our servers rejected
several infected mails sent from the same source (from one
infected machine). Other 3 mailservers was configured to
reject it using header_checks /^X-Unsent:/, and there was
only one or two positives on each. And yet other 4 maiservers
here had no "expirience" with it yet, while uses antivirus
that detects nimda. That to say -- it depends -- you can
never see nimda at all... ;)
What had really great result is my block of *.eml on all our
squid proxies. That saved two our clients from being *totally*
infected (no patches to IE was applied, all machines in the
LAN was opened read/write (disk C: was shared), internal
IIS without patches... ;)
Regards,
Michael.