On Thu, Aug 28, 2014 at 8:40 PM, Daniel Chenault <[email protected]> wrote: > My first step would be to scan my machine for malware.
Everything here runs Trend OfficeScan real-time, and does a full scan once a week. Nobody runs with admin rights for day-to-day. Software Restriction Policies deny execute to most user-writable locations, including most everything under <C:\Users>. Our email filters trap any executable of any kind (by signature, not name). Our web filter tries to block executables from being downloaded (efficacy is an open question). AutoRun is completely disabled via registry redirection. Windows Updates are forced via WSUS. We update apps via GPO/MSI when possible. While I will *never* rule out a malware compromise, and we do have some weaknesses (as do all), we're in a better position than most. > After that I'd get a known good machine on my network segment > running WireShark, set as large a buffer as possible and let it run. > When the fault occurs I've caught it and can examine from there. Hmmm. I've been assuming it's of machine local origin, but it's good point that it might actually be triggered by something on the network. I can set-up another PC with a sniffer, and mirror my switch port to that. Wireshark does have a circular buffer feature. I'll keep that in mind and give it a shot if nothing better comes along soon. Thanks... -- Ben
