Home page logo

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: Jim Segrave <jes () nl demon net>
Date: Tue, 28 Feb 2006 10:29:12 +0100

On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:

--On February 23, 2006 8:02:31 AM -0600 Jack Bates <jbates () brightok net> 

We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was so high, we quickly changed to offline cleanup only. It will
remain until we perfect our auto defense system.

Customers just want things to work. They don't care if they are infected.
It's amazing how many customers swear they aren't scanning or sending
email, and refuse to understand that their computer is capable of doing
things without them knowing.

What doesn't help is the ISPs out there who are complete dolts and first 
don't verify reports and second false alarm.  They'll cut a user off on a 
single complaint without any evidence or verification.  Or worse they have 
some automated system that false alarms without any way to verify you're 
cleaned up.  And if you can't get online you can't get cleaned up anyway. 
Catch 22.  


It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.

It uses honeypots to avoid false positives. 

In short, it works.

Jim Segrave           jes () nl demon net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]