Re: A case for windows firewall
- From: "Cliff Galiher" <cgaliher@xxxxxxxxx>
- Date: Sun, 25 Jan 2009 19:39:22 -0700
AV definitions were up-to-date, but the AV engine is itself is a few years old. Downadup *does* try to disable AV if it can, and in this case its autorun was faster than the AV's bloodhound detection methods. It was nicely incoherent on the infected machine. As they say, never trust your AV for 100% protection.
Would the client have been better protected with a more up-to-date AV engine? Probably in this case, yes. But should a business *have* to replace SAV 8 with SAV 9, and then a year later replace that with SAV 10, and then a year later replace that with SEP 11? I'd argue that this is an unreasonable upgrade cycle for any business of legitimate size to expect when they are spending thousands on client licenses for a product. The fact that AV makers provide definitions for their older products would indicate that they "get it" too, and *don't* require the latest and greatest engine.
So yes, it was there, but in this case it proved inadequate. ...things happen...
-Cliff
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in message news:eCuBEq1fJHA.5408@xxxxxxxxxxxxxxxxxxxxxxx
Cliff,.
I use the Windows firewall, but I cannot help but ask, "Where was the antivirus software that should have stopped the virus?"
Gregg Hill
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message news:E818344F-36AA-4614-A106-786A184E98E3@xxxxxxxxxxxxxxxxI recall a thread not too long ago discussing the pros and cons of using group policy to enable the windows firewall in an SBS environment. For those that don't recall, I, as well as a few others, took the position that the windows firewall *does* have a place even in a LAN behind a corporate firewall.
Case in point, I thought I'd relay a situation I just returned from.
A client called me because they were seeing some very strange things in their emailed reports and wanted some guidance. I'll spare you the boring details of the troubleshooting process, but the final verdict was that one of their machines had become infected with conficker/downadup through its USB drive spreading method. This machine, in turn, started trying to attack other machines on the network and was causing account lockouts as it threw passwords out, and just raising general mischief.
The punchline here is that MS08-067 had *not* been applied to the client machines. As I am only called in on an "as-needed" basis, they do their own day-to-day maintenance. As most SBS shops, there is not a dedicated IT staff, so these duties were directed to one of their administrative staff. Apparently using WSUS was one of the trivial tasks that was not properly documented during a staffing shuffle, so, long story short, the new "sysadmin" was not doing this. The server, luckily, was updated as she makes it a point to log in monthly and access windows update directly.
The upshot to this story is that back when I did the initial deployment, I enabled and configured windows firewall via GP. One of my standard firewall rules is to deny traffic on ports 139 and 445 (RPC) from any IP *but* the server. This allows SMB and RPC to work between the client and server, but not between client machines. So the upshot here is that, although all of the client machines in the organization would have been vulnerable to this attack, the windows firewall prevented the virus from spreading beyond the one USB compromised machine. The server itself, because it *was* patched (THANK GOD) also remained unaffected.
A real world example of where the windows firewall prevented a virus from running rampant and where the infection started from a point where an edge device would not prevent it. It would be very easy to imagine this scenario in a zero-day exploit where there was no patch yet.
So I pose this question to any of you who'd like to respond:
Do you use windows firewall in your environment (or client's environment)? And if not, why?
I'm not trying to trap you. I genuinely want to know and digest some alternate points of view. Is my example a valid reason to have windows firewall in place and the added inconvenience it may bring? Managing firewall rules, editing yet another GPO, and troubleshooting network related problems? I could see where some people would say no. So please...share your thoughts. :)
-Cliff
- Follow-Ups:
- Re: A case for windows firewall
- From: Duncan McC
- Re: A case for windows firewall
- From: Leythos
- Re: A case for windows firewall
- From: Gregg Hill
- Re: A case for windows firewall
- References:
- OT: A case for windows firewall
- From: Cliff Galiher
- Re: A case for windows firewall
- From: Gregg Hill
- OT: A case for windows firewall
- Prev by Date: Re: Setting IP addresses for dual boot system
- Next by Date: Re: Setting IP addresses for dual boot system
- Previous by thread: Re: A case for windows firewall
- Next by thread: Re: A case for windows firewall
- Index(es):
Relevant Pages
|
