Holland + Knight
Travis
Abrams MCSE, GCIH
Systems
Engineer
Holland & Knight
LLP
NOTICE: This e-mail is from a law firm, Holland &
Knight LLP ("H&K"), and is intended solely for the use of the individual(s)
to whom it is addressed. If you believe you received this e-mail in error,
please notify the sender immediately, delete the e-mail from your computer and
do not copy or disclose it to anyone else. If you are not an existing
client of H&K, do not construe anything in this e-mail to make you a client
unless it contains a specific statement to that effect and do not disclose
anything to H&K in reply that you expect it to hold in confidence. If
you properly received this e-mail as a client, co-counsel or retained expert of
H&K, you should maintain its contents in confidence in order to preserve the
attorney-client or work product privilege that may be available to protect
confidentiality.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, November 22, 2004 6:27 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] virus/worm
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 22, 2004 6:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] virus/wormHow strong are your passwords on those machines. I am pretty sure variants of the Spybot can try common passwords. A couple other tricks I have used:
- Setup your routers to send a syslog alert and then email you any machine attempting to contact IRC ports outside of your network. That can quickly alert you to these infections.
- Get SNORT!
- Consider joining AVIEN www.avien.org
You should also consider looking at a Network Quarantine product. We are evaluating SafeAccess from StillSecure and it is working good so far. Our basic setup is if I can check your machine then allow it to pass, if I can't go into a Internet only VLAN. (You define the account to use to check the machines). If the person needs full LAN access they open their browser and must provide credentials that SafeAccess can use to check their machine.
Holland + Knight
Travis Abrams MCSE, GCIH
Systems Engineer
Holland & Knight LLP
NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kern, Tom
Sent: Monday, November 22, 2004 3:28 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] virus/wormHi all. I am having a serious issue with bot type worms that keep infecting my machines over and over. It doesn't matter that I'm fully patched and my virus defs are up to date.
I use Symantec Corporate Edition 9.0 in a win2k mixed mode AD enviroment. My machines all have the most up to date patches and hot fixes.
I have seen machines that are up to date in everything get reinfected time and time again. The worm is a varient of what Symantec calls Spybot.worm32. It usually creates a exe in system32 called Explorer.exe or 386.exe or svchosting.exe and no matter the defs it slips by Symantec.
This is a posting perhaps better sent to a virus or Symantec list,but you guys seem really knowldgeable and I'd like to pick your collective brains about how to deal with this issue.
I assume its getting in via laptop users wh take their pc's home at nite or some of our traveling sales guys,but if my desktops are up to date and patched,they should'nt get infected.
No?
Am I being naive?
Finally,we are a liqour distributor and alot of times we have suppliers from other companies come in with laptops that give powerpoint presentations and access our internet connection. These guys are from elsewhere so they don't have accounts in our domain and thus log in locally.
How can i protect myself against these guys? Management insits they be allowed to do their thing with their laptops on our network when they come in and since they don't log into our domain,I can't even push out a GPO and I'm at the mercy of these guys and what hteir IT dept did or did not do.
Help!
Thanks alot. If I can get a solution to just one of these 2 questions,I'll be a happy man.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
