Home page logo
/

basics logo Security Basics mailing list archives

Re: Spyware
From: Liran Cohen <theog () tehila gov il>
Date: Thu, 16 Dec 2004 14:20:17 +0200

HI Matt,

I would recommend blocking all unnecessary traffic in either case, the benefits are a) users will not be able to use applications you do not approve of, b) you can look at the firewall logs for irregular traffic thus identifying some of the malicious traffic. mind you though, many malwares use standard ports to communicate with each other or with their "home" :)

There are some content inspection utilities which may filter the ports you allow so that no one can transfer unwanted data.

Here's a nice project I really like (many more are at freshmeat.net and similar sites):
http://httpf.sourceforge.net/

Liran Cohen
Security and Communication consultant
Israeli Government
+972-2-5317361
theog () tehila gov il


Matt Stern wrote:
Hello all:

I was just wondering if spyware sends its answers "back home" on any particular TCP or UDP port. If so, then couldn't I doubly safeguard the LAN (after trying to keep all the spyware off the workstations) by disallowing outbound communications via the firewall, for those ports? Or conversely, instead of allowing all outbound traffic, only allow the usual ports, such as 80, 443, 23, etc?

Thanks.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault