«

An interesting comparison: I have about 1200 users I
support, and most of the problems have been hacked
systems. We run f-secure, WinXP Pro SP2, on all
systems, and for the most part, the student labs are
locked down with browsing in the local domain only,
or an "allow list" for research. Staff, on the other hand,
can browse freely. All email is filtered at two levels ..
the servers, and finally each station. Still I get the call,
"My PC is running very slow, and I can't access ...."
I look on the system, and invariably it is commercial
scumware like Gator, Gain, Precision Time, etc with
as many as 10 local "servers" yakking away and
dragging the cpu up to 100%. I've known for years
that Adaware or Spybot will not remove this crap. It
is too well defended. Generally I reimage and recover.
What is frustrating, and also TRUTH telling in a big
way, is !!!! the WinXP firewall has not said a word
about any of this. It just ALLOWS it. I finally turned
the stupid thing off ... because it trashes network
printing ... and installed F-secure firewall. Within
minutes, f-secure popped up and reported all the
internal scumware that was talking out .. and the packer
source / programs .. and equally all external probes
that were trying to get in to the systems ... and there
were quite a few from Canada, Russia, and Australia
..... pushing keyloggers every one of them. I was
able to get their ip-addresses, dns-addresses, and I
was able to go in and manually delete the packers.
We are also building a "**** list" of ip-addresses on
our F-secure server to automatically block. I really
have a great security tool now. So .. !! ?? ... just
what was this SP2 firewall doing ? It never said a thing.

johns

In article <cj4cc5$27nh$>, says...
[snip]

If you are supporting an organization, since you have 1200 users, if
you're not doing web filtering and other blocking at the firewall then
you need to start.

If you enable content blocking, and run AV software (such that the users
don't have to run updates manually, don't have the ability to stop the
AV Scans, and run a weekly full systems can) you will have a lot less
problems.

--
--

(Remove 999 to reply to me)

> If you are supporting an organization, since you have 1200 users, if
> you're not doing web filtering and other blocking at the firewall then
> you need to start.

We do in the student labs. No problem at all there. So far, we are
not allowed ( or at least can't get away with ) doing if for the staff
and professors. Oh boy, do I wish we could. At least we have 2
levels of email filtering with McCaffee at the servers, and heavy
spam filtering. On each local machine, AV updates are done
automatically every few hours, and f-secure runs there. Here's
the problem too. No firewall is running at the first layer of servers.
Only f-secure is running on our subnet ... and it is showing me
bigtime just what a good firewall can tell us. It is solving problems
that I was never able to touch before. Now I know who is
"doing it", and just what they are doing. The biggest problem
is coming from unrestricted browsing and hacked chat groups
like Yahoo, and hacked messenger services. Those are straight
shots into our local PCs, but now F-secure is kicking their butts.
I cannot praise this piece of software enough. It is just super.

> If you enable content blocking, and run AV software (such that the users
> don't have to run updates manually, don't have the ability to stop the
> AV Scans, and run a weekly full systems can) you will have a lot less
> problems.

Right. The old F-secure could be turned off easily. The new one
is far more difficult. Never the less, if I am called to a PC where the
user has deleted F-secure, or turned it off intentionally, and then
got hacked, I pull his network access until He and his dept head
have come to understand that it AIN'T gonna happen again, and
I am not kidding one bit. Now, I'm just at the bottom level of
defense. These clowns get to discuss it with IT too, and they
are just as tired of it as I am. And they need to come watch
F-secure firewall do its thing !!!!!!!!!!!!!!!!!!!!!!!!!

johns

In article <cj4rmv$2i4q$>, says...
>
> > If you are supporting an organization, since you have 1200 users, if
> > you're not doing web filtering and other blocking at the firewall then
> > you need to start.
>
> We do in the student labs. No problem at all there. So far, we are
> not allowed ( or at least can't get away with ) doing if for the staff
> and professors. Oh boy, do I wish we could. At least we have 2
> levels of email filtering with McCaffee at the servers, and heavy
> spam filtering.

I just cleaned a house at a local campus - they brought their systems to
us before we let them connected them in the network. The machines were
running everything from Win98, ME, XP, 2000, and MAC OS/X.

The ones with McAfee products were more infected than the ones running
Norton products. Even though the University provides free CA AV to all
students, those that had it didn't update it. The ones that had Norton
had expired subscriptions.

Order of worst to best was:

Worst: McAfee
Almost as bad: CA
Best: Norton 2003 or 2004

> On each local machine, AV updates are done
> automatically every few hours, and f-secure runs there. Here's
> the problem too. No firewall is running at the first layer of servers.
> Only f-secure is running on our subnet ... and it is showing me
> bigtime just what a good firewall can tell us. It is solving problems
> that I was never able to touch before. Now I know who is
> "doing it", and just what they are doing. The biggest problem

I found that the computers brought from the kids homes were the least
infected, the ones returning that had them in the Dorms were the most
infected.

> is coming from unrestricted browsing and hacked chat groups
> like Yahoo, and hacked messenger services. Those are straight
> shots into our local PCs, but now F-secure is kicking their butts.
> I cannot praise this piece of software enough. It is just super.
>
> > If you enable content blocking, and run AV software (such that the users
> > don't have to run updates manually, don't have the ability to stop the
> > AV Scans, and run a weekly full systems can) you will have a lot less
> > problems.
>
> Right. The old F-secure could be turned off easily. The new one
> is far more difficult. Never the less, if I am called to a PC where the
> user has deleted F-secure, or turned it off intentionally, and then
> got hacked, I pull his network access until He and his dept head
> have come to understand that it AIN'T gonna happen again, and
> I am not kidding one bit. Now, I'm just at the bottom level of
> defense. These clowns get to discuss it with IT too, and they
> are just as tired of it as I am. And they need to come watch
> F-secure firewall do its thing !!!!!!!!!!!!!!!!!!!!!!!!!

We ran all Windows Updates, including SP2 for XP, and forced the MAC
OS/X user to update for the hacks that are out for OS/X. We installed
AGV Free for all people that had McAfee or expired licenses.

In almost 40 machines we removed over 3000 known viruses and 8000+
spyware tools. Only 3 machines were clean when brought to us.

Additionally, every computer had file/printer sharing disabled, under
XP, SP2 and firewall were enabled, AV set to update every 24 hours and
full scans to run once per day at 5AM.

Since the house could not afford a real firewall, we set the NAT device
to block outbound 135 through 139, 445, 1433-1434, and 2500 both TCP and
UDP. The router passes all traffic logs to a secured W2K server running
WallWatcher and emails them to our monitoring site once a day. We also
setup a secure HTTP service to allow remote access to the logs.

So far, we've not detected any problem, but those kids sure love AIM

It was interesting to note the levels of infection based on the products
the kids used - NOT ONE that was using McAfee was registered, so they
could not get AV Updates. One student had purchased the full suite of
McAfee tools on-line and failed to understand how to install it - so,
for 4 months they thought they were protected and in reality had not
actually installed the update. It took the student more than an hour
with tech support / customer service to get access to the update and get
it installed (found 8 viruses after that).

The CA version of virus scanner is also something that was not setup to
auto-update, not one of them (about 6) had current updates.

All but two of the Norton's were running on 1 year old licenses and not
getting updates, but the kids were aware of it - it was clear to see and
they told us they were not updating.

I've always found the Corporate Edition of Symantec AV to be the best in
our testing. I've always found McAfee to be the worst, and this
experience just confirms it.

--
--

(Remove 999 to reply to me)

On Sun, 26 Sep 2004 03:05:56 GMT, Leythos wrote:

[...]

> I've always found the Corporate Edition of Symantec AV to be the best in
> our testing. I've always found McAfee to be the worst, and this
> experience just confirms it.

[...]


Interesting read, especially since the majority of posters seem to be
really down talking Symantec products, in general. Thanks for all that
info.


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

johns wrote:


> We do in the student labs. No problem at all there. So far, we are
> not allowed ( or at least can't get away with ) doing if for the staff
> and professors. Oh boy, do I wish we could.

Go and explain the problems and the possible consequences to the school
authorities. We make ALL our staff (right up the to the headteacher)
sign a use agreement and we filter their access. We've had no problems.

Think in the wider context; explain to the school what the consequences
will be TO THEM if one of their staff does something illegal that they
forbad to you take action to prevent ................

In article <>,
ks says...
> On Sun, 26 Sep 2004 03:05:56 GMT, Leythos wrote:
>
> [...]
>
> > I've always found the Corporate Edition of Symantec AV to be the best in
> > our testing. I've always found McAfee to be the worst, and this
> > experience just confirms it.
>
> [...]
>
> Interesting read, especially since the majority of posters seem to be
> really down talking Symantec products, in general. Thanks for all that
> info.

Like most things in Usenet you generally only see posts from people that
have a problem with something. Most of the people we've run across using
McAfee products don't even know they are installed on their systems,
don't think there is more to the Internet than the web, and none of them
know what Usenet is.

I myself can understand the displeasure with Symantec, actually Norton
products - they started doing suites instead of sticking with something
they do well. I see people having problems with NIS all the time, but
it's usually because they don't understand the product, already had a
problem with their system or are running a half-baked system on Windows
XP with 128MB of RAM (any XP system should have a Min of 256MB
installed, and a min of 512MB for heavy system users).

It really was an eye-opener for us. Next year we get to do the same
place, only 90+ systems. We're already getting calls from places that
the ISP is threatening to shut them down due to virus activity (which is
how we got this job last year).

It's interesting to see how few organizations install some form of
monitor, don't disable file/printer sharing, don't mandate updated (with
a current license) AV software, don't run PFW's on their local
computers, etc... Sure, in a corp environment we could mandate this and
have the IT staff to force it, but you would think that with all the
news about viruses and spyware that organizations would be looking at it
too.


--
--

(Remove 999 to reply to me)

> Think in the wider context; explain to the school what the consequences
> will be TO THEM

My favorite one of the year was the FBI at that school in Colorado.
2nd was that judge who ordered all the Indian rez servers to
be turned off .. period!

johns

Having read this whole thread it strikes me that you consider a firewall the
core of your defence. I have news for you - that only works if you don't
actually have any users ;-(. You have what is known as 'brittle' security,
in your case 'hard shell, soft centre'. Or, to close the text book, you
lack defence in depth and are exosed to insider threat (your users .

As soon as they go and surf, email or otherwise use the Internet they will
be exposed to all the wonderful stuff MS lets you download without the
slightest warning (auto-install, for instance), newly developed hacks (the
jpeg issue is but one of many) and plain vanilla social engineering ("click
here to get <desktop gadget>").

See if you can get them at least to accept using the web when logged in as a
'regular' user instead of with admin rights, that will offer a small degree
of containment. I'd also recommend avoiding IE where possible as a lot
BHOs can offer a nice route into the users' desktop (Spybot Search &
Destroy is your friend here). Use Firefox where possible, and while you're
at it you ay want to rethink using Outlook (Express as well as 'regular').
If you absolutely have to, at least make sure preview is disabled as that
forces any HTML email to be rendered (and thus any stuff inside to be
executed). To give you an idea how clever preview is, imagine what happens
when you want to delete an email you KNOW has dodgy stuff in. You
highlight it to delete it - and it then executes it. Duh.

As for introducing a firewall, get a Linux box or something (i.e. grab an
older desktop and add an extra network card) and sell it to your staff as a
'proxy' - all of them looking at Dilbert means it'll only hit your
bandwidth once. A bit of social engineering helps .

Oh, btw, if you want to spot any resident virus infections quickly, install
a tool called 'Etherape' on a machine that runs Linux. You'll spot an
infection as it will broadcast - it's quite well visible with Etherape (I
used it to detox a 30k global network where nobody had ever heard about
containment, planning and segmentation. Arrgh .

Good luck.
--

Regards, /// Peter ///


(remove animals from signature fist)

In article <415ac45e$0$92131$>,
says...
> Having read this whole thread it strikes me that you consider a firewall the
> core of your defence. I have news for you - that only works if you don't
> actually have any users ;-(. You have what is known as 'brittle' security,
> in your case 'hard shell, soft centre'. Or, to close the text book, you
> lack defence in depth and are exosed to insider threat (your users .

It would be nice if you would at least quote part of the message you are
replying to so that we know who "You" is.

As for the firewall, it is the Core, but that does not mean that it's
the only security measure, it's just the first point and the main
entrance.

> As soon as they go and surf, email or otherwise use the Internet they will
> be exposed to all the wonderful stuff MS lets you download without the
> slightest warning (auto-install, for instance), newly developed hacks (the
> jpeg issue is but one of many) and plain vanilla social engineering ("click
> here to get <desktop gadget>").

Actually, a quality firewall can filter ALL of those things out of web
pages, can remove things you don't want the users to access (within the
page) and make life a lot safer for the entire org.

While I agree that you have to educate users, it's not going to cut it.
The role of IT Security is to eliminate the chance that people can do
bad things to the network and yet still remain productive - which means
that most people don't even need access to the internet at work.


--
--

(Remove 999 to reply to me)