We have actually started to implement this as well. We have 3 part custom rules that look for things like limewire, kazaa, emule, ares, etc. The 3 parts are:
Registry Key Program Executable Essential File We do this so that even if the user renames 'limewire.exe' to 'notlimewire.exe' we can still detect another limewire file that can't be renamed. Now granted that doesn't stop a user from grabbing an OSS P2P software and hacking the code to get around this, but then IPS rules can grab that. Right now we have one rule running in Audit mode and it seems to work well. After some more testing this summer it is going to be one of the things implemented during the Fall semester. --Jeremy On Thu, May 7, 2009 at 15:13, Stanclift, Michael <[email protected]> wrote: > We're talking about using writing some custom rules in CCA to scan systems > and detect common P2P software, starting next semester, and denying access to > the network for those who have it installed. Is anyone else doing this? Is > there a better way to go about this then custom rules, some kind of plug in > or built in feature I'm missing? > > We generally block P2P traffic out of our network, but we're going to start > getting more aggressive in trying to "educate" users that using it and > trading files is not only illegal (at least, what they're doing with it), it > is a great way to infect your computer. > > > Michael Stanclift > Network Analyst > Rockhurst University > > http://help.rockhurst.edu > (816) 501-4231
