Ah, but you are so wrong.
And yet I don't think I am, how
funny.
:)
If I scan at the e-mail gateways, I accomplish at least these seven
things:
1.) I protect outgoing mail for outside people, thus limiting the spread of
worms if and when the desktop does get compromised;
If your workstations are patched and kept patched in an automated way
aren't you doing this as well?
Is it likely your server will be patched before the workstation? If so.
why? Why not have the same infrastructure for supplying updates to both?
And if you have it for both, why not just leave it on the place where
the infection occurs?
2.) Because of 1, I limit my liability exposure if one of my users
infects
someone outside with a bad worm;
liability to what? I've forgotten when was the last lawsuit for
'internet worm ravages the world"?
3.) Well over 99.99% of viruses come in via e-mail;
Wow is that a real statistic or did you pick it fresh out of the air?
4.) Scanning and stripping the executable reduces my users'
POP/IMAP
bandwidths; some of these guys are using IPsec over dialup, where every 150K
windows worm eats time (and those 150K worms add up fast, when over a
thousand per hour are traversing the incoming e-mail gateway! (which has
happened a couple of times here)) : the desktop-based scanner still has to
download the e-mail;
This is an argument I can understand. But I don't have any of those
users and I hope that dial up users are slowly slowly slowly diminishing
from existence. I know they're not but I like to pretend :)
5.) Stripping ALL executable attachements (using MIMEDefang,
MailScanner,
Sophos MailMonitor (which can just simply delete executable attachments out
of hand as well as scanning them), or other tool of choice) protects against
many unknown viruses and Trojans;
And gets a fair number of false positives but...
6.) Installing an e-mail gateway scanner is very little effort and
very little
cost;
Depending on your mail volume.
7.) E-mail scanning has massive bang-for-the-buck: what viruses are
left that
come in other ways probably (not always) will be isolated incidents; an
e-mail worm can propagate like wildfire (not always true, but almost always
true) and quickly swamp response teams, because e-mail worms never come in
one at a time....
Again, depending on your volume.
Further, with Sophos Enterprise Manager you can have centralized
desktop
scanner updates and management (as I'm sure NAV Enterprise also allows),
which gives you the best of both worlds.
And it only costs $8trillion. Seriously sophos is prohibitively
expensive and closed source, and provides their own perl and, and, and,
and.... it's not something I'll be using anytime soon.
-sv