I'd suggest it's something you should look into. Ignoring that it's something interesting to look into/learn about, in this day and age my personal opinion is that in a business environment (or any environment where you have this type of issue), you need a really good reason not to be doing some form of content filtering.
Don't misunderstand me, I'm not talking about access to stuff like Youtube and Facebook as thos aren't IT's decision. I mean blocking malware sites so that in an ideal world, how well your a/v deals with threats isn't tested because you can't get to them. You shouldn't need to change anything on the Cisco. Assuming you have your internal clients all using your internal AD server(s) for DNS, you'd just set your AD DNS servers to use a filtering DNS service as forwarders. It's really easy to test it out as well, with no impact on the business. Paul ________________________________ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 07 October 2011 5:42 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Not really. I don’t do much with the firewall as I don’t know much about Cisco. I rely on an outside consultant/vendor to handle any changes necessary for us. [John-Aldrich][Thread-Count] From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, October 07, 2011 12:34 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection John, do you do any sort of DNS or URL filtering at your firewall to control/restrict outbound traffic? ________________________________ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 07 October 2011 4:02 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I’m guessing it’s just old hardware that isn’t up to the job. I might take a USB cd up to a couple of ‘em, but honestly I’m not really worried about it on those machines. We have that IP range blocked in the firewall, so it’s not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. [John-Aldrich][Thread-Count] From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich <jaldr...@blueridgecarpet.com<mailto:jaldr...@blueridgecarpet.com>> wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything.... :( Neither one is really "critical" but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com<mailto:rhw...@gmail.com>] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich <jaldr...@blueridgecarpet.com<mailto:jaldr...@blueridgecarpet.com>> wrote: Well, we blocked the IPs of the C&C server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it "resolved." I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com<mailto:cynicalg...@gmail.com>] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich <jaldr...@blueridgecarpet.com<mailto:jaldr...@blueridgecarpet.com>> wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com<mailto:rhw...@gmail.com>] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich <jaldr...@blueridgecarpet.com<mailto:jaldr...@blueridgecarpet.com>> wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeek<at>gmail.com<http://gmail.com> -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeek<at>gmail.com<http://gmail.com> -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
<<inline: image002.jpg>>
