Hi Raji, You don't even need to use URLScan to block those. I'm sure you are not using "www" in your Destination Sets, and you would never use IP addresses in your Web Publishing Rule Destination Sets, so you're not going to be whacked by those and they should never appear in your Web server log, only in the Web Proxy log. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Raji Arulambalam [mailto:rajia@xxxxxxxxxxxxxx] Sent: Tuesday, February 25, 2003 5:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] Feature Pack 1 - URLScan http://www.ISAserver.org Hi What needs adding to the URLSCAN.ini file to catch these attacks.?? 217.96.188.1 anonymous - N 2003-02-25 23:33:19 w3proxy CELERIS - www - - - 96 3551 http TCP GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir - - 502 - - - I have added these various combinations '.exe?' , '?/' , '/c+' to the ini file, but non seem to catch this. I want to remove this so it does not clog up my iis server logs. Any clues.???? --------------------------------------------- Raji Arulambalam Systems Administrator Environment Bay of Plenty P O Box 364 Whakatane. NEW ZEALAND -------------------------------------------- ****************************************************** This e-mail has been checked for viruses and no viruses were detected. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')