[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Re: Virus
- To: <ukha_d@xxxxxxx>
- Subject: RE: Re: Virus
- From: "Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>
- Date: Sun, 23 Sep 2001 13:50:03 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
Thanks Mark, very informative.
My ISP is NTL which is why I was concerned about the NetBT bit, assuming it
to be something to do with BT.
When I allowed MMC.EXE to operate there was a humungus amount of traffic
through the firewall (Tini Personal Firewall) so I stopped it, it was
around
this time that I found I had the Mimba virus, maybe a coincidence not sure.
When I installed TPF it asked allsorts of questions re-access so I did
start
with no rules and made them up as I went along, confusing the first time
till I got a basic knowledge about what was going on! as you say a good way
to learn.
Thanks for your help, mucho appreciated.
B.
> -----Original Message-----
> From: Mark Hetherington (egroups)
> [mailto:mark.egroups@xxxxxxx]
> Sent: 23 September 2001 13:40
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: Virus
>
>
> > NetBT Datagram
> > NetBT Session
>
> These are communication packets very likely to do with your ISP
> connection.
>
> > Outgoing ICMP Echo Request
>
> This is likely to be the "keep alive" for your ISP
connection.
>
> > Trivial File Transfer Protocol App
>
> Not sure, could be anything with a TFTP implentation in e.g. auto
update
> routines for an AV program. Kill tasks until it dies or examine
running
> processes to attach it to a specific application. TFTP is not too
> likely to
> be a particularly nasty access to allow anyway and I would hope your
> firewall allows seperate treatment of incoming and outgoing
connections so
> configure it in a way that you feel happy with.
>
> > MMC.EXE
>
> MMC.EXE is the IIS management console. By blocking it's access you
> effectively disable IIS functions. Most MMC access is merely on the
local
> loopback so is safe to allow. You are better placed securing IIS
> than merely
> blocking it at the firewall.
>
> > Is there a website that lists what should be allowed in/out
> > of a system? I
>
> Not sure of any references off hand but there must be some. Check out
> firewall sites for documentation since most firewalls include
information
> about networking and security. Your firewall may even cover itself in
the
> help files. I would advise that you don't try to learn everything
> in one go,
> but maybe address things as you come across them (as with this
> list you sent
> to the list). You could easily end up confusing yourself over
> what does what
> if you try and learn it all and configure according to what you find
out
> since there are so many protocols and many look very dangerous from a
> theoretical POV.
>
> One good way to pick stuff up is to see it in action. Assuming you
have a
> pretty secure and versatile firewall program (ATGuard and NIS type
> applications), remove all rules and build up a ruleset from scratch as
> applications require access. Note: I suggest keeping any trojan
> rulesets as
> your base since you don't really want to install the trojan to
configure
> against it :) This is quite time consuming and can be annoying,
> but you will
> learn about everything a given application does that are not
immediately
> obvious otherwise (e.g. FTP although using ports 21 and 22 in general
will
> often also query 113 - auth.) You can usually build up the majority of
the
> rulesets for your common applications within the first few hours
> of using a
> PC but obviously you will have no access in or out until there are
some
> rules defined. After the first initial run, you will have minor
> configuration changes for new apps and apps that are not run very
> often, but
> as a learning tool, it is good at seeing does what on your Internet
> connection.
>
> It is better to stop a program running or properly secure it than
block it
> at the firewall. Any concerns about MMC.EXE (IIS Management
> Console) should
> be dealt with by turning off unused services rather than blocking it
> outright. Blocking it does not recover the resources and the program
will
> still attempt (maybe more frequently) to access the internet even
> though it
> is blocked possibly resulting in increased use of resources. If
> you are not
> using IIS at all, disable it completely.
>
> HTH.
>
> Mark.
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
Home |
Main Index |
Thread Index
|