With all of the attention paid to spam prevention sometimes we forget that viruses and malware remain a strong threat to our business networks.

Although in many cases spam and viruses go hand in hand, there are still some viruses that have no spam-like characteristics and therefore must be defended by genuine antivirus measures.  I recently worked with a customer who was surprised that their server-level antivirus was finding viruses in emails that had already passed through an external hosted filtering service.

Aside from email-borne viruses there are also non-email vectors for viruses and malware to attack an Exchange server.  Once the malware is on a server or computer on the network it can be used to attack other devices or even send out spam itself.

So with all of that in mind here are some strategies for protecting your Exchange environment from virus infection.

Hosted or Gateway Filtering

The best place to stop an email-borne virus is before it reaches your Exchange servers.  To do this requires either an externally hosted service that all of your email is routed through, or a server that sits in front of the Exchange servers (for example in the DMZ or as an edge/gateway device) to check all mail as it arrives.

A benefit of filtering email before it arrives on the Exchange server is that the resource-intensive virus scanning can occur on a dedicated device without impacting the performance of Exchange. Continue reading Antivirus Protection for Exchange Server 2010»

Security experts have issued a warning about a new spam campaign using PDFs to spread malware. The email arrives with what looks like a note from a friend:

          “Hey man… Remember all those long distance phone calls we made. Well I got my telephone bill and WOW. Please help me and look at the bill see which calls where yours ok…”

The “bill” is attached to the email as “PhoneCalls.pdf” and if clicked on, takes advantage of vulnerability in Adobe Reader in order to download the Sality virus. This virus, which appears to have originated in Russia, is extremely dangerous. It takes over the autorun feature, installs a peer to peer connection to a botnet, downloads additional malware, looks for and disables any anti-virus software it finds, looks for and infects any local, remote, and removable drives, alters the Windows registry to infect any .exe file set to load on startup, and worst of all, damages every file it infects beyond repair. It is one of the nastiest viruses out there today. Its botnet contains over 100,000 computers.

Adobe says they have released an update that repairs the vulnerability and if your IT department hasn’t installed it they should ASAP, but neither that nor having the most recent version of the program are guarantees against getting infected. Sality has been around since 2003 and has grown more and more complex and sophisticated with no end in sight. It’s important to have an anti-virus solution that can block zero-day attacks and threats.

Cloud computing is a popular topic these days.  One of the ways in which cloud computing is being delivered to businesses is by hosted email security services.

A hosted email security provider offers antivirus and antispam protection for their customers using servers hosted off the customer’s premises.  This delivery model carries many benefits to the customers.

Equipment Costs – by choosing a hosted service the customer is not required to purchase their own server hardware to run the security product on their own premises.

Support Costs – support is included in the monthly fee to the hosted provider, so the customer is not required to hire and retain staff to manage an on-premise solution.  The hosted provider is responsible for all maintenance and upgrades to keep the service running smoothly.

License Costs – because the customer is not running their own server they also save on software licensing costs.  Furthermore they are simply paying a per-user license cost to the hosted provider.

Bandwidth – because any virus or spam emails are filtered by the hosted provider that traffic never reaches the customer’s network, saving their bandwidth which is both a cost and a performance benefit. Continue reading 9 Benefits of Hosted Antispam Services»

I am currently involved in discussions with a client about the feasibility of moving their Exchange environment to a hosted email provider.  The client is considering it on the basis that it will reduce costs and improve the maintenance and health of their email platform by having it all looked after by an outsourced provider.

At face value these points may be valid (a detailed cost/benefit analysis is still ongoing) however one item that did come up in the technical analysis is the impact it would have on the choice of email security product being used.  Basically it would remove the choice entirely, as the providers being considered offer a single solution for email anti-virus and anti-spam protection.

Although most email security products have similar features, not all of them are created equal.  Features can be included or excluded from product to product, and even features that are common between products can have very different levels of quality and performance. Continue reading Do Hosted Email Providers Mean Lack of Choice?»

On Monday, users of Norton Internet Security and Norton Antivirus started seeing firewall alerts warning them that an executable named PIFTS.exe was attempting to connect to stats.norton.com. Conspiracy theories immediately started to spread like wildfire. What exactly was PIFTS? Were Symantec surreptitiously monitoring their users? Or was this something much more sinister?

The discussion raged on sites such as Slashdot and on forums across the internet. Symantec fanned the flames when they started deleting questions about PIFTS which had been posted to their web forum without explanation. What did they have to hide? To make matters worse, users searching for information on PIFTS found that they were being directed to malicious websites. Brian Krebs of the Washington Post noted:

          Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Symantec finally issued a statement which confirmed what had happened:

          Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue. Continue reading The PIFTS.exe Conspiracy»

Security experts say that the current financial crisis even has scammers worried. The recent rollercoaster on Wall Street has cybercriminals scrambling to find other sources of income believing their pool of targets is shrinking. Instead of going after banking information, passwords and credit card numbers, new spam campaigns are focusing on tricking people into purchasing fake antivirus programs and downloading ransomware.

Continue reading Even Scammers Are Affected By Credit Crisis»