A common way viruses get past protections is by users plugging in portable storage devices like USB drives. If that's the case, OSSEC couldn't block that because OSSEC can only respond to events *after* they happen.
You could, however, detect more quickly when an infection occurs and take an action like quarantining the node. You could setup a test PC in a lab on an isolated network running ossec agent, then infect the machine and see what system changes it makes. >From this, you could create custom rules that target this infection more precisely, tie those rules to an active response script that, for example, shuts down the PC or sets the firewall to block everything. Have it kick off an email to you, then you could check with the user immediately to see what they did. -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
