Re: GFI Download Security

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 8 Jun 2004 08:01:17 -0700

Actually, you don't even have to be web response-specific.
Any Internet-based site delivering a header or URL-style element containing:
 "C:\"
"ms-its":

.. deserves to be blocked.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "David Farinic" <davidf@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, June 08, 2004 07:27
Subject: [isalist] Re: GFI Download Security


http://www.ISAserver.org



To add fresh example to my previous reply post:


There is new 0 day exploit used by more addware/spyware....==Malware.
If you have DownloadSecurity6, it blocks it.

ISA2004 users without DownloadSecurity can use http header checking feature to 
Block this malicious code.

Check if 302 reply is found with string in http header:" ms-its:" & 
"Help\iexplore.chm"

Then block this connection .

This is reply from webserver you have to block:

====

HTTP/1.1 302 Found  Via: 1.0 ISASERVER  Connection: Keep-Alive  
Proxy-Connection: Keep-Alive  Content-Length: 4  Date: Tue, 08 Jun 
2004 08:00:49 GMT  Location: 
URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm  Content-Type: text/html 
 Server: Resin/2.1.11

====


"Location: URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm" shouldn't 
pass trough otherwise this exploit works(Location 
should not point to your  disk)

If your clients run WinXP with SP2 they will be not affected if it passes 
trough ISA.


Regards David Farinic



________________________________________
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Thursday, 20 May 2004 5:38 p.m.
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: GFI Download Security

http://www.ISAserver.org

Thanks,

I seriously think this is something worth looking into. It is probably our
#1 or #2 issue right now. It can take up to a few hours to clean a system
from all the crap these (*&#$@(*& install. It is extremely prevelent on
home PC's along with all the spyware. I am also working with the local
school district to find a solution for their systems as well. They are
having a hell of a time keeping their machines clean.


Ray Dzek
Network Operations Supervisor
Specialized Bicycle Components

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, May 19, 2004 4:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: GFI Download Security


http://www.ISAserver.org

Hi Ray,

That's a good question. I haven't researched yet what methods are used to
installed scumware on user's computers. I'm sure a variety of methods are
used. I plan to do this if/when I update the application layer filtering kit
to version ISA 2004. I sure its as easy as blocking extensions and content
types, but the devil is always in the details.

Tom



This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.

In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

Other related posts:

• » GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » RE: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » Re: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security
• » RE: GFI Download Security

1. Home
2. isalist
3. Archive
4. 06-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---