Sounds like another case of blame the product rather than the person that failed to keep the anti-virus software up to date. I speak from experience here. I had to cure a Nachi infected network because the admin of that company thought that servers didn't need anti-virus software as long as all the workstations had it installed. (I'm sure you can see this coming.) All it took was one outside sales guy notebook that didn't update its virus definitions to infect all of the servers and annoy the rest of the workstations. It was money for me. But there too, the admin was stumped as to why the firewall alarm kept going off. Gee. Amy -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, November 19, 2003 4:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Nachi http://www.ISAserver.org It is ICMP. Just because you are blocking it outbound does not stop the infected computer from trying to go out. Ever here of DOS? This is what it is doing. John Tolmachoff Engineer/Consultant/Owner eServices For You -----Original Message----- From: Phill Hardstaff [mailto:phillh@xxxxxxx] Sent: Wednesday, November 19, 2003 1:16 PM To: [ISAserver.org Discussion List] Subject: [isalist] Nachi http://www.ISAserver.org Can anyone tell me why the Nachi worm brings my ISA firewall to it's knees, I have ICMP disabled outgoing but as soon as I get a machine behind the firewall with Nachi on it the firewall service goes to 100%, the server looks like it's dead but it's not, disconnect the internal NIC and it comes back to life straight way, even if I disable my DNS server (behind the firewall) it still stays at 100%, so it's not ICMP and it's not DNS, so what is it and more importantly how come ISA chokes on it so easily ? I could understand ISA choking on 100 Nachi boxes on a 100Mb internal link but yesterday I had 2 infected machines behind the firewall connected over a 128Kb link taking the firewall service to 100% ?? I have even turned off logging and anything else that might use up CPU, still the same happens. I am seriously considering changing firewalls. Cheers Phill Phill Hardstaff MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. Senior Support Engineer Secretariat of the Pacific Community B.P. D5 Noumea Cedex - 98848 New Caledonia Phone +687-260141 Mobile +687 838091 Fax +687-263818 Email phillh@xxxxxxx SPC Web Page http://www.spc.int/ Personal Web Page http://www.hardstaff.com/ Personal Email Phill@xxxxxxxxxxxxx Personal Fax +1 (603) 299-5640 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')