RE: Spy Traffic
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 28 Jul 2003 10:51:13 -0500
Hi Shawn,
We use PestPatrol and its pretty good. I understand they'll be coming
out with an enterprise management system for it in the near future. That
will help quite a bit.
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) *
[mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: Monday, July 28, 2003 10:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Spy Traffic
http://www.ISAserver.org
I'd agree and say to get a spy detection package. PestPatrol is good
and
works well. Not the cheapest thing in the world but that's all relative
to
your company and the severity of the problem. If it's only one or two
spywarez (and relatively few clients) maybe getting the instructions to
manually remove them from the clients and try that. Then block the heck
out
of their sites, like the one you mentioned below (see
http://www.thiefware.com/whenu/ for more info on WhenU). Some
spywarez/adwarez are kind enough to put an entry in Add/Remove programs
to
get rid of their crap. With others you have to do some serious registry
hacking. Depends on the
Problems that I see with installing ISA in integrated mode in your
scenario:
1) You already have it in cache mode. You'd need to go through the
motions
of the reinstall. If you already have a different firewall in place
this
could also create a more complicated environment as ISA in Integrated
mode
has a lot more to do than when it's in Cache only mode.
2) Your logs are not going to reduce in size and the traffic is not
going to
reduce. If you've still got the traffic you may be blocking the
services
ok, but if one of your problems is huge logs you're not going to
alleviate
this by just blocking traffic. Only way to do that is to remove the
problem. Same with traffic. If your firewall is just dropping packets
then
the traffic's still there, it's just not getting through the firewall.
Best
to get rid of the culprit(s).
In addition, enforce policy. Much as it stinks sometimes, make an
example
out of someone. This stuff doesn't happen near as much if someone isn't
screwing around doing something they're not supposed to.
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: LOPEZ SIGNORIS Ofelia TECSIS [mailto:olopezsignoris@xxxxxxxxxx]
Sent: Monday, July 28, 2003 11:04 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Spy Traffic
http://www.ISAserver.org
Hello,
I have ISA Server in cache mode. Since the implementation, 2 months ago,
we've have several problems with spy traffic. We found lot of traffic to
whenu.com (specially to the url http://www.whenu.com/versions.html
<http://www.whenu.com/versions.html> ). It produces network congestion,
hugh
logs, and problems in LSASS.EXE that is the process that receives so
many
authentication requests to connect to this site.
I've asked Microsoft and they recommend to cut off the problem from the
root, that is, installing some spy detection software, (like
PestPatrol).
Another suggestion was to implement ISA in integrated mode, and
configuring
rules to drop this kind of packets.
Have you ever experimented any problems of this type? Which is the best
way
to solve this problem from the root?
Thanks a lot,
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
