FYI ... InoculateIT bug ...
Yesterday we got hit with the VBS/Plan.A.worm virus which is actually
several months old. Since our signature files were updated on Sunday of
this week it seemed a tad strange that InoculateIT did not stop the virus at
our email server.
When we called Computer Ass. for an explanation as to how this could happen
we were told that there is a "Known" bug in the software that if anyone has
more than 1,000 elements in their mailbox ( mail + tasks + appointments +
etc ) the software WILL NOT check for viruses. It seems one of their
developers thought 1,000 was a BIG number.
We of course, have people with 12,000 - 16,000 elements associated with
their mailboxes. It's actually quite easy - use the calendar function
heavily and do not purge old appointments ....
Thankfully CA has an easy fix.
From REGEDT32 on your email server:
* Goto "HKEY_LOCAL_MACHINE"
* Goto "SOFTWARE"
* Goto "Computer-Associates"
* Goto "InoculateIT"
* Goto "CurrentVersion"
* Goto "Mail"
* From menu bar / Edit - use "Add Value"
* set value name = "LS_MaxMessageCount" ( Case Sensitive !!! ) as
REG_DWORD with a "Decimal" value of .... we used 40,000
Once we added this value and rebooted the machine a standard "Scan" of the
our mailboxes found the virus.
It is VERY nice that CA sends me emails 3 to 4 times a week letting me know
that they have released new signature files that I can download to my
server. It would have been even MORE appreciated if they had sent me an
email to let me know this bug existed !!!
By the way I now have the source code for the Plan.A.Worm. It's actually
very simple. For a reasonable fee it would be very easy to modify if
anyone has a company they would like to nuke .... :-)
Seriously, this code is ridiculously simple to modify. No wonder that there
have now been 60 + variations of the Loveletter virus. With very little
effort you could knock off 10 or more variations in a day ... Scary stuff
!!!
Todd Anderson
J. Rubin & Co.
Yesterday we got hit with the VBS/Plan.A.worm virus which is actually
several months old. Since our signature files were updated on Sunday of
this week it seemed a tad strange that InoculateIT did not stop the virus at
our email server.
When we called Computer Ass. for an explanation as to how this could happen
we were told that there is a "Known" bug in the software that if anyone has
more than 1,000 elements in their mailbox ( mail + tasks + appointments +
etc ) the software WILL NOT check for viruses. It seems one of their
developers thought 1,000 was a BIG number.
We of course, have people with 12,000 - 16,000 elements associated with
their mailboxes. It's actually quite easy - use the calendar function
heavily and do not purge old appointments ....
Thankfully CA has an easy fix.
From REGEDT32 on your email server:
* Goto "HKEY_LOCAL_MACHINE"
* Goto "SOFTWARE"
* Goto "Computer-Associates"
* Goto "InoculateIT"
* Goto "CurrentVersion"
* Goto "Mail"
* From menu bar / Edit - use "Add Value"
* set value name = "LS_MaxMessageCount" ( Case Sensitive !!! ) as
REG_DWORD with a "Decimal" value of .... we used 40,000
Once we added this value and rebooted the machine a standard "Scan" of the
our mailboxes found the virus.
It is VERY nice that CA sends me emails 3 to 4 times a week letting me know
that they have released new signature files that I can download to my
server. It would have been even MORE appreciated if they had sent me an
email to let me know this bug existed !!!
By the way I now have the source code for the Plan.A.Worm. It's actually
very simple. For a reasonable fee it would be very easy to modify if
anyone has a company they would like to nuke .... :-)
Seriously, this code is ridiculously simple to modify. No wonder that there
have now been 60 + variations of the Loveletter virus. With very little
effort you could knock off 10 or more variations in a day ... Scary stuff
!!!
Todd Anderson
J. Rubin & Co.