North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Quarantine your infected users spreading malware
--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates <[email protected]> wrote:
We believe it does help to an extent. But more importantly to us the same system that sent the notices and quarantined the host also is tracking the incident. Its visible to the help desk staff and the security staff, and searching there first when a user contacts us is standard procedure. Prior to this system we were keeping track of suspended machines by hand or via email. In the summer of 2003, when the big windows RPC vulnerability was out, and both Blaster and Welchia happened, we knew right away that we needed a system to track the *hundreds* of suspend/restore requests we were processing. First it was just a tracking system, then it became a full automated notification and suspension system.Do you find that web redirection actually stems the flow of calls to the helpdesk? We find that anything out of the normal usually results in a customer calling the helpdesk just because they weren't expecting it. We found this to be true of email notifications as well.
One of the things we do is send vulnerability notices for large scale OS vulnerabilities. For example, for the Windows Print Spooler vulnerability, MS05-043, we scan our network multiple times a day and send notices to the owners of vulnerable machines. The user/admin then has 24 hours to patch the machine and use the web app to tell us they did. If they don't do so the machine is suspended. Once suspended they can still use the web app to restore themselves. However if we find a machine is still unpatched after we've been told it was patched we immediately suspend it.
Well, once they're quarantined they should stop getting those ads and just get your quarantine notice, so that should be different, right?The other issue is, of course, differing what we are doing with those thousands of annoying ads that make users believe they are infected.