Drive by virus

[OldOwl]

Well, my guy took my machine today, ghosted the hard drive and we played a few games of 8 ball while waiting but then it got late and I left it with him to change the partitions and do some updates. I'm just glad it didn't get into the network and kill my wife and daughters machines. I guess it was contained in the operating system, so that's good news. Should have it back tomorrow. Probably have to pay him out of the cash I had saved for my new Saiga 12 Ga. Its always something. Also had to have both u joints replaced in my truck yesterday for $187 but they did it for free because I do them a lot of favors. That was nice. Woulda been a bad day otherwise.

[Booga]

... As for the emails its easy to look at domain names of the sender...

Many spammer and virus emails can be spotted by looking at domain names. However, that is not 100% fool-proof. I deal with email at the server level and I can tell you that some spoofed emails are very deceptive, domain names included... Source IP is tougher to spoof, but almost nobody checks that. It would be trivial for me to send an email spoofing the source email address and domain.

Youre looking at code coming through where, and youre searcing for known code signatures correct?

He's referring to heuristics. It's helpful because it can sometimes catch slightly modified malware that has NOT had a known code signature documented yet. Basically it is a way to look for software the behaves like malware. It's been my experience that heuristics is a fairly minor boost in protection, but perhaps he's seen more of a benefit than I have.

My experience is mostly along the lines of administration/email/troubleshooting and can back FN1910's statement in general.

Literally 97% of the email that hits our network where I work is spam or a virus. It's amazing that anything legit makes it through at all.

[FN1910]

Your 97% figure for spam etc. is about right. We have a Barracuda box and that thing is well worth the money. Since we have installed it about 7 years ago I have seen the percentage of spam slowly rise. Right now about 95% is blocked immediately because of blacklist or similar identies. Another 1-2% is then blocked for meeting the spam filter settings of types of email. Another 1-2% is the passed through but flagged in the subject line of the email as possible spam. That leaves 1-3% as getting through without any flagging. Out of that 1-3% it includes, advertisements from legitimate vendors, jokes being passed around the Internet, and pictures of babies or such stuff. Out of all the mail sent to us from outside the network about 0.5% is actual useful work related email. Any time someone comes to my office complaining about spam in their email I just show them the graph from the Barracuda box and threaten to turn it off for them. Very seldom do I have any more complaints.

I also have a Fortigate firewall that does some email and web filtering along with a monitoring server supplied by Homeland Security and the email server itself does some.

There are several different thigs that heuristics looks at including known and unknown codes. As you say it is marginal as to how much new stuff it finds. I think that is partly because the turnaround time on patches for new stuff is so quick that there is very little that hit our machines that is not known. The biggest problem is the intentional stuff that people download that opens holes for everything else. When I investigate an infected machine I usually find that it started when they downloaded some "cute" program or didn't pay attention to what it was asking. I have seen machines where there litterally was no room left on the screen to display a web page because of all the toolbars at the top of the browser. I didn't realize that there were that many available.

[sFe]

Your 97% figure for spam etc. is about right. We have a Barracuda box and that thing is well worth the money. Since we have installed it about 7 years ago I have seen the percentage of spam slowly rise. Right now about 95% is blocked immediately because of blacklist or similar identies. Another 1-2% is then blocked for meeting the spam filter settings of types of email. Another 1-2% is the passed through but flagged in the subject line of the email as possible spam. That leaves 1-3% as getting through without any flagging. Out of that 1-3% it includes, advertisements from legitimate vendors, jokes being passed around the Internet, and pictures of babies or such stuff. Out of all the mail sent to us from outside the network about 0.5% is actual useful work related email. Any time someone comes to my office complaining about spam in their email I just show them the graph from the Barracuda box and threaten to turn it off for them. Very seldom do I have any more complaints.

I also have a Fortigate firewall that does some email and web filtering along with a monitoring server supplied by Homeland Security and the email server itself does some.

There are several different thigs that heuristics looks at including known and unknown codes. As you say it is marginal as to how much new stuff it finds. I think that is partly because the turnaround time on patches for new stuff is so quick that there is very little that hit our machines that is not known. The biggest problem is the intentional stuff that people download that opens holes for everything else. When I investigate an infected machine I usually find that it started when they downloaded some "cute" program or didn't pay attention to what it was asking. I have seen machines where there litterally was no room left on the screen to display a web page because of all the toolbars at the top of the browser. I didn't realize that there were that many available.

Seems like you can't install anything now without having to uncheck a toolbar box.