Irregular Expressions

Jul 29 2011   10:57PM GMT

Good times

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

So what do you do?

My basic steps;


  1. Block access to the news site.
  2. Block access to the dropsites and download sites (if possible), at least monitor with a signature.
  3. Restrict port TCP 445 between remote locations and servers where possible.
  4. Start updating machines with new AV signatures and system patches to stop the bleeding.
  5. Update the AV on the servers that require TCP 445 and cannot be patched. I have also seen some application firewalls for servers that might be a help.
  6. It might be possible to VLAN the infected workstations off the network, or through the main firewall to be scanned.
  1. Use firewall logs to identify any machines that have visited the news site are.  Also use logs (hopefully) to watch for TCP 445 scans around the network.  Ongoing an IDS signature would be good for this.
  2. Try to use WSUS logs to identify machines missing the needed patch, and cross with AV logs for missing signatures.
At least that’s my take, there are some good comments on the post also.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: