Thanks Bart I did find the executable and did the policy great idea and thanks Russell for original idea that worked, is everyone using locked down local accounts how do you manage software that thinks they need this access and is there software to help setup local restrictions but still allow software access thanks everyone after a month of work(well plus usually pc and admin stuff) I am regaining control. Good fuel to start locking down stuff and hopefully some sans training or m/aybe better microsoft forefront training.thanks again. TR
On Sep 2, 2010 5:39 PM, <[email protected]> wrote: > If you know the name of the executable files, you may be able to use a software restriction policy in active directory to kill or limit the virus. > > Try to determine the infection mechanism. Don't forget to check any backup media, usb keys, etc to prevent reinfection. > > If you can isolate infected hosts as Russell mentioned, it will make it easier. > > As far as prevention, make sure the users are running with least user privileges, remove unneeded software from the machines, keep ALL software patched not just MS products (removal of unneeded software makes this easier), disable unneeded services, use different administrator passwords for each local machine if possible (to stop worms and pass the hash), segment critical machines (911) from web surfing machines on the network, etc. *user education *. Use this episode to illustrate the risks. (do you really want someone to die because 911 is down because you infected your machine playing Farmville?) > > Good luck! > > Bart > Sent from my Verizon Wireless BlackBerry > > -----Original Message----- > From: Tyler Robinson <[email protected]> > Sender: [email protected] > Date: Thu, 2 Sep 2010 13:24:11 > To: PaulDotCom Security Weekly Mailing List<[email protected] > > Reply-To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Subject: Re: [Pauldotcom] LAN Virus outbreak Procedures > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
