RE: Spy Traffic
- From: "Quillman Shawn (RBNA/CIT1.1) *" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 28 Jul 2003 10:41:47 -0500
I'd agree and say to get a spy detection package. PestPatrol is good and
works well. Not the cheapest thing in the world but that's all relative to
your company and the severity of the problem. If it's only one or two
spywarez (and relatively few clients) maybe getting the instructions to
manually remove them from the clients and try that. Then block the heck out
of their sites, like the one you mentioned below (see
http://www.thiefware.com/whenu/ for more info on WhenU). Some
spywarez/adwarez are kind enough to put an entry in Add/Remove programs to
get rid of their crap. With others you have to do some serious registry
hacking. Depends on the
Problems that I see with installing ISA in integrated mode in your scenario:
1) You already have it in cache mode. You'd need to go through the motions
of the reinstall. If you already have a different firewall in place this
could also create a more complicated environment as ISA in Integrated mode
has a lot more to do than when it's in Cache only mode.
2) Your logs are not going to reduce in size and the traffic is not going to
reduce. If you've still got the traffic you may be blocking the services
ok, but if one of your problems is huge logs you're not going to alleviate
this by just blocking traffic. Only way to do that is to remove the
problem. Same with traffic. If your firewall is just dropping packets then
the traffic's still there, it's just not getting through the firewall. Best
to get rid of the culprit(s).
In addition, enforce policy. Much as it stinks sometimes, make an example
out of someone. This stuff doesn't happen near as much if someone isn't
screwing around doing something they're not supposed to.
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: LOPEZ SIGNORIS Ofelia TECSIS [mailto:olopezsignoris@xxxxxxxxxx]
Sent: Monday, July 28, 2003 11:04 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Spy Traffic
http://www.ISAserver.org
Hello,
I have ISA Server in cache mode. Since the implementation, 2 months ago,
we've have several problems with spy traffic. We found lot of traffic to
whenu.com (specially to the url http://www.whenu.com/versions.html
<http://www.whenu.com/versions.html> ). It produces network congestion, hugh
logs, and problems in LSASS.EXE that is the process that receives so many
authentication requests to connect to this site.
I've asked Microsoft and they recommend to cut off the problem from the
root, that is, installing some spy detection software, (like PestPatrol).
Another suggestion was to implement ISA in integrated mode, and configuring
rules to drop this kind of packets.
Have you ever experimented any problems of this type? Which is the best way
to solve this problem from the root?
Thanks a lot,
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
