I have been checking our packet filter logs and am seeing TONS of traffic like this: The Source IP is one of the addresses on the public NIC in the ISA box. Source Destination Protocol Param#1 Param#2 64.175.22.129 66.216.74.58 Udp 1344 137 64.175.22.129 66.216.74.58 Udp 1343 137 In the Microsoft bulletin it says to block the following at the firewall: UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 I ran the checker from the MS site yesterday on my ISA box, and it said I did not have the Sasser worm. Everybody else is behind the firewall. I also ran the script from ISATools on my ISA box too. Thoughts? Thanks. Mike Malter (415) 479-1968 Office (415) 309-4637 Mobile (415) 462-2941 FAX