• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Hosts file to block badware

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> RE: Hosts file to block badware Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Hosts file to block badware - 9.Nov.2006 10:46:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I've been using it for over a month now and it works a treat!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JRyan)
Post #: 21
RE: Hosts file to block badware - 16.Nov.2006 9:21:50 AM   
mciftci

 

Posts: 4
Joined: 7.Jun.2006
Status: offline
How about if Malware is using ip address directly instead of domain name?

_____________________________

mciftci

(in reply to RobJohn)
Post #: 22
RE: Hosts file to block badware - 16.Nov.2006 8:37:42 PM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
If malware is using ip instead of domain name I'm not sure.  I think it would then depend if the malware uses your proxy setttings, if it does, I'm not sure how ISA would treat it since a nslookup is not required.

It would then depend on how effective your other layers (Defense in Depth) are.  For my work network these are the key components:

1) each host has its own IPS, AV, AS protection system to prevent infection or abuses. 
2) all servers and PCs are religiously patched to prevent vulnerabilities from being exploited
3) very few users have admin rights
4) All traffic on the network is controlled via PERMIT statements at the gateways (Inbound and Outbound), all other traffic is IMPLICITLY DENIED.
5) A behavior based IDS/IPS (Lancope Stealthwatch) monitors and analyzes all traffic traversing the network via span ports on our Core switches. We know within seconds any out of profile, suspicious, or unauthorized traffic.
6) ISA is used to filter HTTP destinations, content and applications.

_____________________________

Rob John
MCSE, CCNA

(in reply to mciftci)
Post #: 23
RE: Hosts file to block badware - 17.Nov.2006 1:10:49 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

Great policy!

I do the same, but have replaced my "hardware" firewalls with ISA firewall to gain greater control and security

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RobJohn)
Post #: 24
RE: Hosts file to block badware - 13.Feb.2008 3:54:56 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Thought I'd chime in on this old thread...I just implemented the host files in the manner described in this thread.  Working like a champ.

I dropped HostsExpert onto my ISA server and I can use it to download the hosts files from MVPS.ORG and HOSTS-FILE.NET, merge and sort them, apply whitelists, and do all kinds of neat tricks.

(in reply to JRyan)
Post #: 25
RE: Hosts file to block badware - 13.Feb.2008 4:08:20 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi Tim,

Thanks for the info

quote:

HostsExpert


Does this tool automate the download of the hosts file ??



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to TimTrace)
Post #: 26
RE: Hosts file to block badware - 13.Feb.2008 4:50:35 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
No, sir.  It is for manual operation.  But it is a clever tool nonetheless.

http://www.funkytoad.com


(in reply to elmajdal)
Post #: 27
RE: Hosts file to block badware - 14.Feb.2008 11:16:19 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The hosts file approach works very good on the ISA firewall. I've been doing this for years

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to TimTrace)
Post #: 28
RE: Hosts file to block badware - 16.Oct.2008 4:52:38 AM   
stuarta

 

Posts: 88
Joined: 4.Sep.2008
Status: offline
Right ok.  I've just downloaded the host file from http://www.mvps.org/winhelp2002/hosts.htm and copied that into the system32\drivers\etc folder on my ISA server.

I'm guessing that's all I need to do possibly?

(in reply to RobJohn)
Post #: 29
RE: Hosts file to block badware - 16.Oct.2008 6:53:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Make sure you copy the entries to your HOSTS file on the firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to stuarta)
Post #: 30
RE: Hosts file to block badware - 16.Oct.2008 6:56:52 AM   
stuarta

 

Posts: 88
Joined: 4.Sep.2008
Status: offline
quote:

Make sure you copy the entries to your HOSTS file on the firewall.


Sorry I don't follow that bit.  At the moment I've just copied the host file.

Did have an issue just now when a user received an email which the links of which started as ad.doubleclick.net, which I've removed.

(in reply to tshinder)
Post #: 31
RE: Hosts file to block badware - 17.Oct.2008 8:08:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The file contains hosts file entries. You can copy them into your current hosts file, or replace the current hosts file with theirs.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to stuarta)
Post #: 32
RE: Hosts file to block badware - 17.Oct.2008 8:20:12 AM   
stuarta

 

Posts: 88
Joined: 4.Sep.2008
Status: offline
yep sorry that is what I done, I replaced my host file with that one.  Didn't do anything else.

Did have a problem with an email that came through for one user.  It had some links on it that they needed to view which were redirected with ad.doubleclick and therefore blocked.

Would be nice if I could add them into ISA instead so that it had a different page for blocking, and not just standard ie page.

(in reply to tshinder)
Post #: 33
RE: Hosts file to block badware - 17.Oct.2008 8:49:47 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The hosts file solution is a good effort, but it's not granular, and you'll find that if you have a liberal Internet access policy, that a lot of stuff is going to be blocked. Also, as you pointed it, it doesn't have the flexibility as ISA policies.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to stuarta)
Post #: 34
RE: Hosts file to block badware - 31.Aug.2010 11:01:13 AM   
J.F.

 

Posts: 43
Joined: 28.Nov.2005
Status: offline
If you want to manage thousands of blackhole or blacklist domains on Windows DNS servers, here is a free PowerShell script, and it can take a hosts file as input too:

http://blogs.sans.org/windows-security/2010/08/31/windows-dns-server-blackhole-blacklist/

(in reply to RobJohn)
Post #: 35

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> RE: Hosts file to block badware Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts