RE: [ActiveDir] OT:spyware

[Kern, Tom]

The viruses I’ve been getting are w32.spybot.worm and bat.mumu.A.worm(all Symantec’s names). We are patched and up to date. The machines(anywhere from 5-10) get infected and then start going out on ports 445 and 6667. This is enough to slow our network to a crawl at times.   I thought patching just prevents those holes from being exploited but does not prevent you from getting the virus and having it use your machine to attack another unpatched one. Am I wrong?     thanks   From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   It is possible to get virus infections even with current virus definitions.  My experience with Nachi/Welchia and 5000+ workstations at my last employer taught me that.  If you have Nachi/Welchia in your system on just one machine, it's going to continually try to find machines to infect in your subnets.  If you have current virus definitions but you haven't applied the Microsoft patch, the machines will get reinfected and then the virus scanner will clean the machine reporting that the virus was cleaned.  It's a vicious cycle.  Basically, you have to clean, patch, and then clean to end the cycle.   In our situation, we used a start-up script to install the Microsoft patch on the machine and then execute McAfee's STINGER program to clean the virus.   As to Spyware, we are using a web filter on the ISA Server to block spyware from ever getting to the machine. The vendor has a category called "spyware" that seems to cover everything except Gator/GAIN.  We added URL's for those as well.  So far, it seems to be working but we are only 3 weeks into the test.  We also blocked downloading of executables and some other file types at the proxy.   Hope this helps ..   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses I’ve been getting lately have been viruses that are over a year old and defs have been out for awhile so I’m puzzled as to why I keep getting infected.   The spyware/adware I think may be virus related and not web “push” related, but I’m not positive.   When you say “policy”, you are referring to locking down desktops or a written set of standards provided by IT or upper management?   Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me.   Finally, we have over 400 users and if  I really had a large outbreak(100+ pc’s), I really don’t know how I would take care of it. I’m the only admin and going to each pc  to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night…   Thanks       From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   There are examples out there of viruses elevating privileges if that's what you're asking.  The goal of virus defense is to limit the impact not necessarily prevent every single infection.  Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens.   Not only in your experience, but logically, you cannot prevent everything.  Virus defs lag exploits because one has to exist before the other.  Turns out the virus usually exists before the def does, right?   Your spyware problem is different.  It could be a lot of things, or it could be that this is a symptom of a larger issue.  Can't quite tell from the thread information so far.   Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers.  The web adds another sector to go after and changes the paradigm from a pull to a push type of flow.  The users actively go after content vs. having it sent to them.   Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc.  Some of it leads to malware and really sucks to get rid of.  Ask any IT person with a non-tech teenage neighbor ;)   Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction.  Why not just jump to action?  I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits.    My $0.02 anyway.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that user’s security context. So a regular user should NOT have a virus write to those keys. True?   Or can a virus somehow get localsystem access?   Thanks   As to Symantec, I know this is not the forum for this, but I’m pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected by a virus I already have the defs for. I assume the real time auto protect service is made to start BEFORE any virus or worm does. Oh well. End of rant.       From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot S&D and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions.     Daniel DeStefano         -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo?   I’m running win2k/xp clients, but mostly win2k.   Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the user’s security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldn’t the worm or virus not be able to as well?   Thanks and sorry for the deluge of questions, OT as they are. ---- The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited.