System restore is always off on our machines win2k machines get infected too and i can say without a doubt they are all patched. we use SUS and patch all our boxes whenever a new one come out. All defs are up to date via Symantec though sometimes in safe mode, Symantec full scan will NOT find the worm. This is really a time killer. And we have 4 admins and 500 clients. What you suggest would take a looong time. I need to more proactive solution. I don't think MS and the virus corps out there are really acurate. I think you CAN get infected even when patched. Maybe the worm won't crash your box but it will go out and try to connect to another box from the host machine and flood your network. thanks
-----Original Message----- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 11:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort No real experience with snort, but on the topic of "getting the worms even if they are patched," it is most likely that they got the worm before the machine was patched, and system restore is turned on. Although system restore seems to be helpful to some people, I have never had it successfully restore anything (most likely because by the time I am desperate enough to try system restore the machine is so hosed I doubt anything could fix it), so you might want to weigh the advantages/disadvantages of turning system restore off...all our machines have it turned off. If the machine gets too hosed, I would rather throw the HD in a different machine and recover the files I needed than worry about worms because the SR was on. Anyways...up to you. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, December 01, 2004 10:42 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Snort Anyone had good experiences with snort and can you recommend it as a IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs are up to date. I'm looking for something cheap(read: free) to help me stop these things or at least contain them. My managers are looking int Cisco Self defending networks solution but thats big $$ and might be a whole other mangement headache. I was looking on some combination of our current AV(Symantec corporate 9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched and up to date systems and then they go out on ports 445 or 54321 or 6666 and even though our firewall(watchguard) blocks these ports, enough of these infected systems can DOS my firewall or bring network traffic to a crawl. Any recommendations? thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
