SUMMARY: How to desinfect Word documents on UNIX

From: EG Keizer (keie@cs.vu.nl)
Date: Mon Jun 07 1999 - 05:02:14 CDT


We had several suggestions. The two best ones were:

- create a SAMBA share with root access, that does not follow symbolic links.
  We did this and used a Windows virus scanner (McAfee) to remove viruses.
  It worked like a charm. (see attachment 1)
  Thank you, Gary Franczyk

- Buy NAI 4.04 (total virus defense)
  We are trying to buy NAI 4.04. It might take a while because we can get it
  cheap if we buy through a national institution that organizes discounts
  for universities. We are glad to know that an up to date version of a Solaris
  virus scanner exists.
  Thank you: Rogerio Rocha

Although the `SAMBA/root/dont follow links' method works fine we are still
trying to get the Solaris version because we decided a while ago that
we want to reduce our number of NT servers as much as possible. And
because we like reduce the number of dependencies. Software that scans disks,
should run on the server that has the disks.

A few remarks on other replies:
- Enlist the help of users the scan for viruses
  This is too big a hassle with around 1000 users.
- Use VirusScan SMTP/Interscan Viruswall scanner for Solaris from Trend Micro
  This seems to protect against viruses entering systems. It does
  not seem able to remove viruses in existing user files.
- Temporarely remove all symlinks and restore after scanning
  This is a good way to get our users mad at us.
- Temporarely copy all files to NT and restore after scanning
  This is a good way to get our users mad at us.
- Solaris virus scanners do not handle Word viruses properly
  We will be looking into this. (see attachment)

Thanks to:
        Franczyk, Gary <gfranczyk@carbomedics.com>
        Alan Orndorff <dwarfie@mindspring.com>
        Dan Simoes <dans@deva.iclick.com>
        Enrique Vadillo <vadillo@rcp.net.pe>
        Bryan J. Smith <bjs@crc.com>
        Rogerio Rocha <rogerio@bvl.pt>
        Jerry Litteer <gll@inel.gov>
        James Ashton <James.Ashton@syseng.anu.edu.au>
        Robert Glover <r_glover@wapol.gov.au>
        Bertrand Hutin <hb@ardentsoftware.fr>
        Gerhard den Hollander <gerhard@james.jason.nl>
        John and Denise Ciesla <ciesla@psinet.com>

Ed Keizer
Computerlab W&I tel: +31 20 44 47804
Faculteit der Exacte Wetenschappen fax: +31 20 44 47653
Vrije Universiteit e-mail: keie@cs.vu.nl
De Boelelaan 1081A, 1081 HV Amsterdam, The Netherlands


attached mail follows:


Why don't you make a second Samba share to the same directory as the first
samba share....
In that second share, you can set "follow symlinks = no" and use the second
share only to scan for viruses with your NT software.

* gary franczyk
* systems administrator / dba
* 512.435.3286

-----Original Message-----
From: EG Keizer [mailto:keie@cs.vu.nl]
Sent: Thursday, May 20, 1999 9:17 AM
To: sun-managers@sunmanagers.ececs.uc.edu
Subject: How to desinfect Word documents on UNIX file systems?

Question:
        Who is aware of virus scanners for Solaris, other than McAfee
        or Network Associates, that can handle the ETHAN Word Macro Virus?

Our NT users store their documents on their home directories on our Solaris
systems through SAMBA. Most of these NT users also use Solaris to access
their home directories.

Recently we have been hit by a Word macro virus (ETHAN). We would like
to desinfect our files, but are still looking for a solution.

We can not use NT virus scanners, because through SAMBA we allow
the use of symbolic links. NT virus scanners are (and can not be)
aware of symbolic links. The result is that the virus scanner
starts digging an ever deeper hole for itself, recursively following
the same symbolic link over and over again.

McAfee has a Solaris virus scanner, but its latest version (3) does
not handle the ETHAN virus.

Network Associates has acquired McAfee. They seem to have a more recent
Solaris virus scanner, but we can not find it on their web site.
We are still looking into that through a more human interface.

Does anyone know of other ways to desinfect our Word files on Solaris
servers?
Preferably one that allows us to download the method.

Ed Keizer
Computerlab W&I tel: +31 20 44 47804
Faculteit de Exacte Wetenschappen fax: +31 20 44 47653
Vrije Universiteit e-mail: keie@cs.vu.nl
De Boelelaan 1081A, 1081 HV Amsterdam, The Netherlands


attached mail follows:


An alternative solution is Trend.

You may want to reconsider your virus scanning techniques.
While I am a big unix lover, my experience has shown that Solaris scanners
are inadequate for the new class of macro viruses we're seeing today. More
serious viruses are creating serious update problems for the scanners and
many antivirus
companies lack the Unix expertise needed to effectively fix the problem. In
most cases the antivirus companies have chosen to disable the virus code but
keep the virus intact, such as Ethan. This can create a serious problem if
your system receives a copy cat viruse that can reinitiate the virus and
corrupt your normal.dot file. If this happens all the users documents could
become infected or the windows env. could become corrupt and you would never
know it or detect it until it's too late.

We do use trend but we also have a desktop antivirus software as well.

John

-----Original Message-----
From: EG Keizer <keie@cs.vu.nl>
To: sun-managers@sunmanagers.ececs.uc.edu
<sun-managers@sunmanagers.ececs.uc.edu>
Date: Thursday, May 20, 1999 12:40 PM
Subject: How to desinfect Word documents on UNIX file systems?

>Question:
> Who is aware of virus scanners for Solaris, other than McAfee
> or Network Associates, that can handle the ETHAN Word Macro Virus?
>
>Our NT users store their documents on their home directories on our Solaris
>systems through SAMBA. Most of these NT users also use Solaris to access
>their home directories.
>
>Recently we have been hit by a Word macro virus (ETHAN). We would like
>to desinfect our files, but are still looking for a solution.
>
>We can not use NT virus scanners, because through SAMBA we allow
>the use of symbolic links. NT virus scanners are (and can not be)
>aware of symbolic links. The result is that the virus scanner
>starts digging an ever deeper hole for itself, recursively following
>the same symbolic link over and over again.
>
>McAfee has a Solaris virus scanner, but its latest version (3) does
>not handle the ETHAN virus.
>
>Network Associates has acquired McAfee. They seem to have a more recent
>Solaris virus scanner, but we can not find it on their web site.
>We are still looking into that through a more human interface.
>
>Does anyone know of other ways to desinfect our Word files on Solaris
servers?
>Preferably one that allows us to download the method.
>
>Ed Keizer
>Computerlab W&I tel: +31 20 44 47804
>Faculteit de Exacte Wetenschappen fax: +31 20 44 47653
>Vrije Universiteit e-mail: keie@cs.vu.nl
>De Boelelaan 1081A, 1081 HV Amsterdam, The Netherlands
>



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:20 CDT