Re: Sweet mother of Pete........
From: Dave Nickason [SBS MVP] (gwdibble_at_NOSPAM.frontiernet.net)
Date: 03/03/04
- Next message: IBC: "Re: Sweet mother of Pete........"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- In reply to: IBC: "Sweet mother of Pete........"
- Next in thread: IBC: "Re: Sweet mother of Pete........"
- Reply: IBC: "Re: Sweet mother of Pete........"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 3 Mar 2004 15:43:50 -0500
I use eTrust AV 7 (probably a newer version of what you're running). Not
that it's any comfort to you, but I did a similar thing to myself a few
weeks ago with a newly released trojan. I got an e-mail that appeared to be
from a trusted source, and at a time when I would have expected it. I saved
the zip file attachment to my desktop and virus scanned it. Extracted it
and scanned it again. Double-clicked it and nothing happened, so I knew I
was in trouble. While I was researching it, CA released an updated
signature file, which caught it immediately upon installation. FYI, the
file was named something not unusual, followed by .htm, followed by a whole
bunch of spaces, followed by .pif. The pif extension was not visible
because of all the spaces - it just appeared on the screen as whatever.htm.
You should check all of your realtime options. For one thing, set realtime
to scan incoming and outgoing files - CA has an explanation for this that I
can't remember right now, but they no longer even offer the option to scan
incoming only. I have the server set to check for updates every
even-numbered hour, and the workstations to check half an hour later. In
the new version, the computers also check for updates at startup. This is
great because updates are usually released late in the afternoon. The
server picks them up then. If anyone is gone for the day when the update
happens, they get updated immediately whenever they next log in. Also, the
current version Exchange option scans outgoing messages as well as incoming
(not sure how this works if something has its own smtp, though).
You might consider contacting CA to get a price on the open license version
upgrade to the newest version. With OL, you just buy a license for each
server and workstation. It covers all the add-ons like Exchange Server. If
I remember right, it'll cost you about $15 per license, so if you have 20
users your total cost would be $300. I like the maintenance option, which
is a little extra money but covers all support and upgrades.
"IBC" <spamityspam@spam.spam> wrote in message
news:eXI%23%23TVAEHA.1452@TK2MSFTNGP09.phx.gbl...
> .......its finally happened. Almost 9 years without incident ends today.
Our
> network was compromised.....by one of my own users.
>
> Despite the enormous 2x6 I have swung threateningly, one of my users
opened
> a *.PIF file this morning. How you ask? He was off using web-based email
to
> check his personal account, got the virus email stating his account was
> disabled, please see the attachment. (OK, CLUE IN HERE...if your account
is
> disabled, would you have been able to get into the account to read that it
> was disabled?)
>
> I'm stressed out about several points and I'm welcoming scolding or
> feedback, which ever makes you feel better:
>
> 1. We run CA InnoculateIT with realtime scanning. How on earth did this
get
> past? Engine and Definitions are up to date. To make matters more
confusing,
> when I ran a manual scan, it found 171 infected files. WTH? They were all
> from the Bagle Variant he had opened, but if the stupid product could find
> them when told to look manually, how come the realtime scanner didn't get
> them? Is this because he ran it over the web connection?
>
> 2. InoculateIT couldn't remove one of the files. (access denied) I removed
> it manually by stopping the service and then deleting the file.
>
> 3. When reviewing the logs, its evident that the virus used my OWA SSL
Rule
> for GHBN. What is this and why did it use my SSL rule?
>
> 4. If this thing uses its own SMTP engine, Exchange logs are useless
except
> for incoming emails created by the virus, right? I used the email header
to
> determine whodunit. The small consolation is the user readily admitted to
me
> what he did and when so I could launch damage control immediately.
>
> 5. Using my ISA logs, I can see the general domains that were hit. (hoy,
I'm
> sorry everybody...) It used port 25 in combination with my OWA SSL Rule
and
> the Backoffice Internet Access Protocol rule. Is there a hole I left open
> here? As near as I can tell I need those things open to work.
>
> 6. I now have serious concerns about the abilities of my AV. Its caught
> almost everything in the past, so I'm at a loss as to what happened here.
> What else should I check to make sure this machine is absolutely clean?
>
> I'm off for my lunch of Tylenol and Tums..........
>
>
- Next message: IBC: "Re: Sweet mother of Pete........"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- In reply to: IBC: "Sweet mother of Pete........"
- Next in thread: IBC: "Re: Sweet mother of Pete........"
- Reply: IBC: "Re: Sweet mother of Pete........"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
