I'd agree and say to get a spy detection package. PestPatrol is good and works well. Not the cheapest thing in the world but that's all relative to your company and the severity of the problem. If it's only one or two spywarez (and relatively few clients) maybe getting the instructions to manually remove them from the clients and try that. Then block the heck out of their sites, like the one you mentioned below (see http://www.thiefware.com/whenu/ for more info on WhenU). Some spywarez/adwarez are kind enough to put an entry in Add/Remove programs to get rid of their crap. With others you have to do some serious registry hacking. Depends on the Problems that I see with installing ISA in integrated mode in your scenario: 1) You already have it in cache mode. You'd need to go through the motions of the reinstall. If you already have a different firewall in place this could also create a more complicated environment as ISA in Integrated mode has a lot more to do than when it's in Cache only mode. 2) Your logs are not going to reduce in size and the traffic is not going to reduce. If you've still got the traffic you may be blocking the services ok, but if one of your problems is huge logs you're not going to alleviate this by just blocking traffic. Only way to do that is to remove the problem. Same with traffic. If your firewall is just dropping packets then the traffic's still there, it's just not getting through the firewall. Best to get rid of the culprit(s). In addition, enforce policy. Much as it stinks sometimes, make an example out of someone. This stuff doesn't happen near as much if someone isn't screwing around doing something they're not supposed to. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: LOPEZ SIGNORIS Ofelia TECSIS [mailto:olopezsignoris@xxxxxxxxxx] Sent: Monday, July 28, 2003 11:04 AM To: [ISAserver.org Discussion List] Subject: [isalist] Spy Traffic http://www.ISAserver.org Hello, I have ISA Server in cache mode. Since the implementation, 2 months ago, we've have several problems with spy traffic. We found lot of traffic to whenu.com (specially to the url http://www.whenu.com/versions.html <http://www.whenu.com/versions.html> ). It produces network congestion, hugh logs, and problems in LSASS.EXE that is the process that receives so many authentication requests to connect to this site. I've asked Microsoft and they recommend to cut off the problem from the root, that is, installing some spy detection software, (like PestPatrol). Another suggestion was to implement ISA in integrated mode, and configuring rules to drop this kind of packets. Have you ever experimented any problems of this type? Which is the best way to solve this problem from the root? Thanks a lot, ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')