Warning, variant C is not being caught by tools that were out even this morning. You need to get today's definitions and version 4 of tools.
John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gregory O'Strander > Sent: Thursday, August 14, 2003 11:18 PM > To: [EMAIL PROTECTED] > Subject: RE: [SonicWALL]- Cache Full > > Funny (or not), but I had a 'RPC Crash - Windows will shut down in 60 > seconds' (something similar) last night, and I am behind a SW Tele3 with > no other computers on my LAN (none on at the time) and deny all services > from the WAN, yet I still got what looked like blaster. I know I was > patched to the gills, and I have since run Full system scans, checked > the system dir', registry, etc. and am completely (known) virus free. > I've even run several removal tools to verify - nothing shows. > > Since I'm not exactly sure what the warning is supposed to really look > like, I'm wondering if I maybe saw a Pop-up of some sort designed to > spoof the virus infection. I know that the RPC warning was through a > window - cause I accidentally expanded it to full screen - prior to > closing it before the 60 seconds finished. > > Again, not sure how the virus should have behaved... > > Any ideas??? > > Q. Would: > > " DENY * > * 'RPC Service' " be as effective as the (2) below rules - > in one rule, or should they be separated into LAN and WAN rules like > below? > > Thanks, > > Greg > > > > > -----Original Message----- > From: Darrell Shandrow [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 9:47 PM > To: [EMAIL PROTECTED] > Subject: Re: [SonicWALL]- Cache Full > > > Hi David, > > I don't think that first rule, deny * > RPC, should be necessary since > everything is already denied inbound from the WAN unless it has already > been opened in the state table from inside the LAN. The second rule > could sure help if something in your LAN has somehow gotten infected. > The question is, how could that happen? One possible answer that does > not point to the SonicWALL could be the connection of laptops that are > also connected to unprotected networks in other locations, such as when > dialing up from remote locations or on an unprotected home network. > > Darrell Shandrow - Shandrow Communications! > Technology consultant/instructor, network/systems administrator! > A+, CCNA, Network+! > Check out high quality telecommunications services at > http://ld.net/?nu7i All the best to coalition forces carrying out > Operation Iraqi Freedom! > ----- Original Message ----- > From: "David McRell" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, August 13, 2003 8:57 PM > Subject: Re: [SonicWALL]- Cache Full > > > > OK. Now I've got rules. > > > > DENY * > WAN 'RPC Service' > > DENY WAN > * 'RPC Service' > > > > Consider that my existing rules deny ALL incoming WAN connections > > except > for > > a few IPs and small ranges. Goes to show that was not an effective > defense. > > Now I realize that to deny all ports except the ones we need is > impossible - > > or is it? > > > > This Microsoft Windows might really catch on someday. :-) > > > > > > > > > > on 8/11/2003 12:42 PM, David McRell at [EMAIL PROTECTED] > > wrote: > > > > > Hello, SW List. > > > > > > Has anyone seen this, yet? > > > > > > 'The cache is full; 3072 open connections; some will be dropped' > > > > > > > > > I guess I'm wondering about new exploits. A PC running XP Pro was > > > generating lots of outgoing connections to port 135 when this > > > happened. > The > > > destination addresses all resided within 93.130.0.0/16. > > > > -- > > David McRell > > > > --- > > [This E-mail scanned for viruses by Declude/F-Prot AV] > > > > > =============================================================== > ========= > ==== > ======================= > > To unsubscribe, send email to [EMAIL PROTECTED] In the body of the > > email > put the following: unsubscribe sonicwall your_name > > The archive of this list is at > http://www.mail-archive.com/sonicwall%40peake.com/ > > > > --- > [This E-mail scanned for viruses by Declude/F-Prot AV] > > =============================================================== > ========= > =========================== > To unsubscribe, send email to [EMAIL PROTECTED] In the body of the > email put the following: unsubscribe sonicwall your_name The archive of > this list is at http://www.mail-archive.com/sonicwall%40peake.com/ > > > --- > [This E-mail scanned for viruses by Declude/F-Prot AV] > > ================================= > To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put > the following: unsubscribe sonicwall your_name > The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/ > --- [This E-mail scanned for viruses by Declude/F-Prot AV] ==================================================================================================To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
