North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantine your infected users spreading malware

  • From: Jim Segrave
  • Date: Tue Feb 28 04:30:32 2006
  • Organisation: Demon Internet Netherlands

On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:
> 
> 
> 
> --On February 23, 2006 8:02:31 AM -0600 Jack Bates <[email protected]> 
> wrote:
> 
> >We allowed users back online to run Housecall at trendmicro for free so
> >they could get cleaned up and save some money. However, the resuspend
> >rate was so high, we quickly changed to offline cleanup only. It will
> >remain until we perfect our auto defense system.
> >
> >Customers just want things to work. They don't care if they are infected.
> >It's amazing how many customers swear they aren't scanning or sending
> >email, and refuse to understand that their computer is capable of doing
> >things without them knowing.
> 
> 
> What doesn't help is the ISPs out there who are complete dolts and first 
> don't verify reports and second false alarm.  They'll cut a user off on a 
> single complaint without any evidence or verification.  Or worse they have 
> some automated system that false alarms without any way to verify you're 
> cleaned up.  And if you can't get online you can't get cleaned up anyway. 
> Catch 22.  

www.quarantainenet.nl

It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.

It uses honeypots to avoid false positives. 

In short, it works.


-- 
Jim Segrave           [email protected]