One of the drawbacks to the ISA 2000 design was the decision to "trust" the internal network. You need to clean up your infected machines, because there's no policy you can set on the ISA to cause it to ignore this traffic; it MUST be evaluated... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Alfredo" <agms@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, May 20, 2004 09:48 Subject: [isalist] ISA Server attacked by DOS from Bobax. http://www.ISAserver.org I have an ISA Server 2000 fully updated with Windows Server 2003 and Antivirus fully updated, but some of the PCs in the internal network became infected with Bobax.C and generate a lot of traffic on ports 5000,135,445 which causing the ISA Server to block access to the Internet. The Server by itself can navigate but any user in the internal net can not. I tried blocking traffic from this ports using a port access rule denying traffic with these ports as destination, but still get wacked by the virus traffic. With only one PC with the virus active, the server won't let anyone to navigate. I wonder if this is normal behaviour of the ISA Server or I missing something. Any help would be greatly appreciated. Regards, Alfredo Medina Universidad Francisco Marroquin Guatemala ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')