Re: for Jim Harrison re sasser vbs??

From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 05/04/04

• Next message: Jim Harrison [MSFT]: "Re: W32.Sasser blocking scripts for ISA 2000"
• Previous message: Ray: "Prompt for authentication is wrong - using ISA FQDN"
• In reply to: Geoff Cox: "for Jim Harrison re sasser vbs??"
• Next in thread: Geoff Cox: "Re: for Jim Harrison re sasser vbs??"
• Reply: Geoff Cox: "Re: for Jim Harrison re sasser vbs??"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 4 May 2004 14:53:55 -0700

Sasser is a one-use script.
Block_attacker was being used in response to any ISA "attack" alert, which turned out to be a bad idea...

I release these virus-oriented script to assist those folks with "allow all" outbound policies.
The script creates "containment" rules to prevent internal infections spreading to the Internet.

-- 
 Jim Harrison [ISASE]
 Read the help, books and articles!
 This posting is provided "AS IS" with no warranties, and confers no rights.
"Geoff Cox" <geoff.cox@minusspam.freeuk.com> wrote in message news:317f90pvk2pdcgji54rs46povn2bv30qr6@4ax.com...
Jim,
hope you see this!
I have read what you said some while ago re the block_attacker.vbs, ie
"The script was written more as an instructional mechanism to
illustrate hoe to use the environment variables available from ISA
alerts. It makes NO sense to create a blocking rule based on current
ISA blocking action."
So if I understand this - there is no point having the block_attacker
with ISA which is already detecting the port scan - witness the alert
which has been generated.... I have just had the bad experience of
using block_attacker and then doing a port scan with grc.com from the
server ! Loads of error messages and I reckon this caused Remote
Desktop to fail..
Is your sasser vbs script different in some way? Not simply a teaching
aid? If so, how do I use it?
Thanks
Geoff 

• Next message: Jim Harrison [MSFT]: "Re: W32.Sasser blocking scripts for ISA 2000"
• Previous message: Ray: "Prompt for authentication is wrong - using ISA FQDN"
• In reply to: Geoff Cox: "for Jim Harrison re sasser vbs??"
• Next in thread: Geoff Cox: "Re: for Jim Harrison re sasser vbs??"
• Reply: Geoff Cox: "Re: for Jim Harrison re sasser vbs??"
• Messages sorted by: [ date ] [ thread ]

Relevant Pages Re: Web Browser Direct Access not working. ... direct access a specified web site? ... that you may use the script instead of WPAD and the script gathers it's data ... jockey things so that it uses a certain ISA "service" over another. ... Preventing the Web Proxy Service from taking control causes it to fall back ... (microsoft.public.isa) Re: Block Attacker showing wierd name - not just IP... ... Since you have a single-server scenario, it's because the script is trying to create filters that already exist. ... running ISA as part of SBS2000? ... > Read the help, books and articles! ... (microsoft.public.isa) Re: Block Attacker showing wierd name - not just IP... ... There is no way the script can properly evaluate the traffic because it doesn't exist by the time the script runs. ... I wonder if the attack comes fast enough so that ISA is ... >2 - if the alert fired, ... (microsoft.public.isa) Re: problem with BlockAttack.vbs ... It creates packet filters (sorry; ISA 2004 terminology crept in). ... You'll want to scan your packet filter list and delete any that were created by the script. ... > "Bengt Olsson" wrote in message ... (microsoft.public.isaserver) Re: Managing Tunnel Ports - 8443 ... Jim Harrison [ISA SE] ... Can you suggest a script for ISA2000 and ISA2004 ... Source: Microsoft VBScript runtime error. ... Steve Foster [SBS MVP] ... (microsoft.public.windows.server.sbs)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint