Re: We are being blocked from various mail servers because of trojan

Cliff and Gumby, THANKS...i do appreciate your explanations and i
understand what you are saying...i'm just looking at this nightmare
and, of course, kicking myself and wanting to kick the owner,
etc...but, i know i have to move forward and do a network rebuild...i
honestly wish I was ONLY the network admin here and had the time to
really really learn and understand this stuff...i really love doing
network stuff, but only find myself reacting to issues rather than
acting - dangerous, i know!

I do wonder if it will be as easy as was previously point out (6 hours
for the servers, the rest of the computers in a day)...for 20
computers and 2 servers to be wiped clean and re-setup, since that is
sort of my speciality (wiping computers that is), it seems like it
will take a lot longer than a day for that i would think...unless i'm
not picturing this correctly...here is what i'm seeing:

- bring everything offline
- backup ALL (and ONLY) data from both servers
- Make sure all clients data that isn't "sync'd" with the server is
also backed up
- wipe servers/clients and reinstall windows on all of tem
- bring server back online using a new static IP
- only connect to do updates
- install antivirus on servers/clients
- restore data to servers
- sync clients
- make sure DNS/PTR/RDNS is setup correctly as well as certificate
- make sure everyone can remote in and send mail from offsite

there are about 15 steps between each of those, i know that, but is
that the gist? I know that if i had a new box i could setup the new
server on and then when i brought the old one offline i could use it
as a "reference" - not having it on the network of course, but to view
for various questions, etc...i'm just seeing my weekend erode
massively...

one other question...the situation going on right now SUCKS, i know
that...but it seems like it is mostly just the IP address that is
getting blacklisted...once i have the new network up and going on a
new static IP, i will be OK, correct? as it stands now, if someone
gets blocked e-mailing out they just need to use our host mail server
and it will work...

jared


On Wed, 13 May 2009 20:42:03 -0600, "Cliff Galiher"
<cgaliher@xxxxxxxxx> wrote:

There are a couple of things you are overlooking in your
analysis/justification, so here are some points to consider.

A good AV may not catch 100% of the viruses out there; that is true. But
this isn't a black and white, virus gets caught or virus runs amok
situation. A good AV product will almost ALWAYS detect and prevent
malicious behavior even if the virus managed to escape traditional signature
based file and email scans. That virus drops the AV's 100% detection to
99%, but the AV still protected your vital components. That is an important
distinction and one that can raise the trust level of your AD accounts,
passwords, and other moving parts, even if a virus was not immediately
detected.

Secondly, almost every package IS 100% except with zero-day exploits. And
even if you happen to be unlucky and get compromised with a zero-day exploit
that completely bypasses all AV protections, if you are paying attention to
security bulletins (all good sysadmins should) then you'll know when the
infection occurred, have a pretty good idea what was compromised, and be
able to restore a known-good backup and reset passwords and accounts as
necessary. That addresses your second point about what companies do when
they get a virus. They can restore. Can you, with *ANY* confidence, say
when you got infected? If it is a botnet, which it sounds like it is from
the RBL rejections you are getting, it could've been dormant for MONTHS
collecting data and received new instructions from the bot herder to start
spamming only recently. So using the time you started seeing spam notices
from RBL's is anecdotal at BEST. So to repeat point #2, an AV package can
provide information to help you protect your network even when it isn't 100%
effective. It helps provide a timeline of infection.

Finally, to answer your last question...yes, if a server has an AV package
on it and it fails to catch "something" and you cannot pinpoint the cause of
infection (program installation, network exploit, etc) through firewall
logs, scans, and other evidence, then it is untrusted even with
Symantec/Trend/etc. If you are not able to determine the point of infection
then everything is susceptible and even a big business would have to resort
to a rebuild. As you are not a big business, likely don't have the
resources to do that level of forensic analysis, AND didn't have an AV
package with which to consult the logs to help, you are basically up ...the
creek... and need to act accordingly in the best interest of your data.

-Cliff


"Jaredean" <shop@xxxxxxxxxxx> wrote in message
news:3sum05hc3mcner5fs6kprucofgod2a724f@xxxxxxxxxx
Thanks for your reply...i guess i question this (but am obviously the
minority based on responses) - because not all antivirus software is
100% effective...i know that there are companies out there that get
virus' and if they got a single trojan then they would have to scrap
the netowork and start over? If the server had Symantec or Trend on
it and we still had this issue crop up because it didn't catch a "new
variant" then it can't be trusted?

jared



On Thu, 14 May 2009 11:46:16 +1000, "SuperGumby [SBS MVP]"
<not@xxxxxxxxxxx> wrote:

Jared, the idea comes from a basic security principle 'once compromised
trust cannot be restored'.

The idea of this is that if something gets in it is possible for other
processes to also operate below the level at which AV operates, you can
_never_ be sure of that installation again.

It's a 'risk analysis'. Is clean install and assurety of proper operation
better than operation of an untrusted system?
.

Relevant Pages

  • Re: Fully parallel Scheme-based language w/ evaluator
    ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
    (comp.lang.misc)
  • Re: network request not supported - source virus??
    ... good that you investigated how the infection started. ... It turns out that the virus is new, but it exploits old, known ... I do all of my normal work under a normal user account, ... unknowingly infect your server with this kind of malicious programs. ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Antivirus 2008
    ... I'll be honest with you, in your situation, considering the fact that this is a network *AND* used by a finance controller, I would still have recommended a clean rebuild. ... It therefore has software/data and some proprietary programs that are not on the server. ... Once a computer is owned by someone else the only way to be 100% certain the infection is gone is to flatten and rebuild the system from known good media. ... For me, if the computer is part of a network that a business relies on, the best way to fix a malware infection is to flatten the computer and restore a clean image. ...
    (microsoft.public.windows.server.general)
  • Re: maccies - living in the past.
    ... not at any point prior to infection hooked into our network. ... our web server was completely isolated from our network. ... install - no patches applied yet), I find it unlikely that it is ...
    (comp.sys.mac.advocacy)
  • Re: maccies - living in the past.
    ... not at any point prior to infection hooked into our network. ... our web server was completely isolated from our network. ... install - no patches applied yet), I find it unlikely that it is ...
    (comp.sys.mac.advocacy)
Quantcast