Re: A case for windows firewall
- From: "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>
- Date: Mon, 26 Jan 2009 01:11:51 -0800
Cliff,
I have a buddy who still uses SAVCE, and he updates it every time a new
build is released, due to virus attacks getting by older builds. I have seen
several cases where older SAVCE engines would not catch a current virus, in
spite of the **definitions** being current.
One has to pay for the renewal license to stay legal anyway, so why not
upgrade, at least to 10, as I heard that SEP 11 has (had?) a lot of
problems?
Gregg Hill
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:70EB0568-8DF1-4A62-A055-F9088C5AF5C1@xxxxxxxxxxxxxxxx
AV definitions were up-to-date, but the AV engine is itself is a few years
old. Downadup *does* try to disable AV if it can, and in this case its
autorun was faster than the AV's bloodhound detection methods. It was
nicely incoherent on the infected machine. As they say, never trust your
AV for 100% protection.
Would the client have been better protected with a more up-to-date AV
engine? Probably in this case, yes. But should a business *have* to
replace SAV 8 with SAV 9, and then a year later replace that with SAV 10,
and then a year later replace that with SEP 11? I'd argue that this is an
unreasonable upgrade cycle for any business of legitimate size to expect
when they are spending thousands on client licenses for a product. The
fact that AV makers provide definitions for their older products would
indicate that they "get it" too, and *don't* require the latest and
greatest engine.
So yes, it was there, but in this case it proved inadequate. ...things
happen...
-Cliff
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
in message news:eCuBEq1fJHA.5408@xxxxxxxxxxxxxxxxxxxxxxx
Cliff,
I use the Windows firewall, but I cannot help but ask, "Where was the
antivirus software that should have stopped the virus?"
Gregg Hill
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:E818344F-36AA-4614-A106-786A184E98E3@xxxxxxxxxxxxxxxx
I recall a thread not too long ago discussing the pros and cons of using
group policy to enable the windows firewall in an SBS environment. For
those that don't recall, I, as well as a few others, took the position
that the windows firewall *does* have a place even in a LAN behind a
corporate firewall.
Case in point, I thought I'd relay a situation I just returned from.
A client called me because they were seeing some very strange things in
their emailed reports and wanted some guidance. I'll spare you the
boring details of the troubleshooting process, but the final verdict was
that one of their machines had become infected with conficker/downadup
through its USB drive spreading method. This machine, in turn, started
trying to attack other machines on the network and was causing account
lockouts as it threw passwords out, and just raising general mischief.
The punchline here is that MS08-067 had *not* been applied to the client
machines. As I am only called in on an "as-needed" basis, they do
their own day-to-day maintenance. As most SBS shops, there is not a
dedicated IT staff, so these duties were directed to one of their
administrative staff. Apparently using WSUS was one of the trivial tasks
that was not properly documented during a staffing shuffle, so, long
story short, the new "sysadmin" was not doing this. The server,
luckily, was updated as she makes it a point to log in monthly and
access windows update directly.
The upshot to this story is that back when I did the initial deployment,
I enabled and configured windows firewall via GP. One of my standard
firewall rules is to deny traffic on ports 139 and 445 (RPC) from any IP
*but* the server. This allows SMB and RPC to work between the client
and server, but not between client machines. So the upshot here is
that, although all of the client machines in the organization would have
been vulnerable to this attack, the windows firewall prevented the virus
from spreading beyond the one USB compromised machine. The server
itself, because it *was* patched (THANK GOD) also remained unaffected.
A real world example of where the windows firewall prevented a virus
from running rampant and where the infection started from a point where
an edge device would not prevent it. It would be very easy to imagine
this scenario in a zero-day exploit where there was no patch yet.
So I pose this question to any of you who'd like to respond:
Do you use windows firewall in your environment (or client's
environment)? And if not, why?
I'm not trying to trap you. I genuinely want to know and digest some
alternate points of view. Is my example a valid reason to have windows
firewall in place and the added inconvenience it may bring? Managing
firewall rules, editing yet another GPO, and troubleshooting network
related problems? I could see where some people would say no. So
please...share your thoughts. :)
-Cliff
.
- Follow-Ups:
- Re: A case for windows firewall
- From: Leythos
- Re: A case for windows firewall
- From: Cliff Galiher
- Re: A case for windows firewall
- References:
- OT: A case for windows firewall
- From: Cliff Galiher
- Re: A case for windows firewall
- From: Gregg Hill
- Re: A case for windows firewall
- From: Cliff Galiher
- OT: A case for windows firewall
- Prev by Date: Re: Problem with CEICW
- Next by Date: Re: SBS 2008 GPO issue
- Previous by thread: Re: A case for windows firewall
- Next by thread: Re: A case for windows firewall
- Index(es):
Relevant Pages
|
