Re: [ActiveDir] virus/worm

2004-11-22 Thread ASB
Wait until your bosses machine gets infected. Maybe that's what it will take to get the policy changed. And you should try using another AV product if the current one is not keeping your systems cleaned from known viruses. How are you cleaning them when you find them? (read: are you sure

RE: [ActiveDir] virus/worm

2004-11-22 Thread Michael B. Smith
, it's going to keep coming back - a user will download an infected archive, execute and WHAM! It's there again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 22, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus

Re: [ActiveDir] virus/worm

2004-11-22 Thread ddh
Hi, I've noticed on several occasions that after a certain machine got raped by viruses, even when removed and the machine has all latest datfiles and critical patches, the viruses keep on coming on in and afflicting the same machine again and again and again. As stated, this happens even

RE: [ActiveDir] virus/worm

2004-11-22 Thread Kern, Tom
PROTECTED] Sent: Monday, November 22, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus/worm Wait until your bosses machine gets infected. Maybe that's what it will take to get the policy changed. And you should try using another AV product if the current one is not keeping your

RE: [ActiveDir] virus/worm

2004-11-22 Thread Alex Fontana
We've seen this, unfortunately there are thousands of variants of this worm. First things first... Make absolute sure you are completely cleaning a machine!!! No matter how much patching is done if the machine has already been compromised it WILL get reinfected. We found that Mcafee, even

RE: [ActiveDir] virus/worm

2004-11-22 Thread Kern, Tom
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus/worm Hi, I've noticed on several occasions that after a certain machine got raped by viruses, even when removed and the machine has all latest datfiles

RE: [ActiveDir] virus/worm

2004-11-22 Thread Dan DeStefano
PROTECTED] Behalf Of Kern, Tom Sent: Monday, November 22, 2004 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm I run a virus scan in safe mode and its hit or miss if Symantec gets it. So i end up maually deleting the files and reg keys. Typically the files are found in system32

RE: [ActiveDir] virus/worm

2004-11-22 Thread Dan DeStefano
, 2004 4:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm How can it be permanent? I mean if you delete all instances on harddisk and reg keys in safe mode when nothing is running,where the heck is it coming back from? I've always wanted to know. Also,how the heck does it get

RE: [ActiveDir] virus/worm

2004-11-22 Thread Paul van Geldrop
PROTECTED] On Behalf Of ASB Sent: Monday, November 22, 2004 9:34 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus/worm Wait until your bosses machine gets infected. Maybe that's what it will take to get the policy changed. And you should try using another AV product if the current one

RE: [ActiveDir] virus/worm

2004-11-22 Thread Kern, Tom
for a solution that goes around the roaming virii users without making them change. sigh... thanks -Original Message- From: Paul van Geldrop [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm Even though that first line might

RE: [ActiveDir] virus/worm

2004-11-22 Thread Fuller, Stuart
concept but more products are coming out to handle just the situation that you are experiencing. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 2:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm I suggested the vlan solution

Re: [ActiveDir] virus/worm

2004-11-22 Thread Rick Boza
for a solution that goes around the roaming virii users without making them change. sigh... thanks -Original Message- From: Paul van Geldrop [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm Even

RE: [ActiveDir] virus/worm

2004-11-22 Thread travis.abrams
Title: RE: [ActiveDir] virus/worm How strong are your passwords on those machines. I am pretty sure variants of the Spybot can try common passwords. A couple other tricks I have used: Setup your routers to send a syslog alert and then email you any machine attempting to contact IRC ports

RE: [ActiveDir] virus/worm

2004-11-22 Thread Stockbrugger, Brian L.
to this system is that it does require some IT intervention but I would rather that than chase a virus. Brian -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm Talk to the Cisco people

RE: [ActiveDir] virus/worm

2004-11-22 Thread Kern, Tom
Title: RE: [ActiveDir] virus/worm I have my firewall logging to a syslog daemon which emails me any bad ports- typically the worm/bot goes out 445/. Snort doesn't do anything proactive like kill the worm. It will just email me what it thinks is unusal. Identifying when the worm kicks

RE: [ActiveDir] virus/worm

2004-11-22 Thread travis.abrams
Title: RE: [ActiveDir] virus/worm Your right that Snort can't patch the systems but it can help you find the source. If you think it is from a traveling laptop put Snort or something like it near where the traveling laptops are. It should detect the scanning by the worm and give you