• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

important How to block new viruses "Conficker-A,W32.Downadup "

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> important How to block new viruses "Conficker-A,W32.Downadup " Page: [1]
Login
Message << Older Topic   Newer Topic >>
important How to block new viruses "Conficker-A,W3... - 14.Feb.2009 3:56:26 PM   
kenzo2001m

 

Posts: 19
Joined: 5.Nov.2007
Status: offline
hello
i think all know the new virus Conficker-A or W32.Downadup
how can i block this with ISA

my network is not infected but i want to be safe

thanks
Post #: 1
RE: important How to block new viruses "Conficker-... - 14.Feb.2009 4:12:51 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Here's all you need to know...

http://blogs.technet.com/yuridiogenes/archive/2009/01/01/blocking-conficker-through-isa-server-tmg.aspx

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to kenzo2001m)
Post #: 2
RE: important How to block new viruses "Conficker-... - 14.Feb.2009 4:13:45 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Download the blocking script from www.isatools.org

http://isatools.org/tools/block_conficker.vbs

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to kenzo2001m)
Post #: 3
RE: important How to block new viruses "Conficker-... - 14.Feb.2009 4:21:04 PM   
kenzo2001m

 

Posts: 19
Joined: 5.Nov.2007
Status: offline
Thanks SteveMoffat
Thanks richardhicks
 
for nice help

(in reply to SteveMoffat)
Post #: 4
RE: important How to block new viruses "Conficker-... - 30.Mar.2009 5:19:07 PM   
dspecht

 

Posts: 5
Joined: 30.Mar.2009
Status: offline
Hi,
 
I ran the block_conficker.vbs script with "cscript block_CONFICKER.vbs" - but how exactly can I be sure that it ran correctly. Sure the results in the command prompt say it ran ok, but I cant see any changes in the isa console.. Where do I look for the signatures and the other modified rules.
 
Below are the results from the cmdline console after the script ran.
 
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
  
C:\>cscript block_conficker.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
 
 
*******************************************************
block_conficker.vbs version 1.3
*******************************************************
 
Backing up up your firewall policies to C:\Documents and Settings\Bart\Desktop\blo
ck_conficker_Backup.xml
 
..Successful..
 
Examining Rules in "ISA1"...
 
- Examining Rule "perimeter to external "...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "Allow access between VPN and Internal"...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "HTTPS"...
  ** Nothing to do here...
 
- Examining Rule "Alex"...
  ** Nothing to do here...
 
- Examining Rule "Primary DNS Server"...
  ** Nothing to do here...
 
- Examining Rule "VPN Clients to Internal Network TEST"...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "Perimeter Internet Access"...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "1 Internet access"...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "MS Exchange SMTP Server"...
  ** Nothing to do here...
 
- Examining Rule "OWA Access"...
  ** Nothing to do here...
 
- Examining Rule "OWA Access(1)"...
  ** Nothing to do here...
 
- Examining Rule "WWW Access to Pages"...
  ** Nothing to do here...
 
- Examining Rule "Mail"...
  ** Nothing to do here...
 
- Examining Rule "TTrac Access"...
  ** Nothing to do here...
 
- Examining Rule "Allow access Between BleVPN and External"...
  ** Nothing to do here...
 
- Examining Rule "Open Port 2681 for CLIENT - FA"...
  ** Nothing to do here...
 
- Examining Rule "WWW Access"...
  ** Nothing to do here...
 
- Examining Rule "RPC, Ping  To Nes"...
  ** Nothing to do here...
 
- Examining Rule "DMZ to Internal"...
  ** Nothing to do here...
 
- Examining Rule "Pages FTP"...
  ** Nothing to do here...
 
- Examining Rule "Internal Access to D"...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "VPN Clients to Internal Network"...
  ++ Updating HTTP Filter settings
  ++ Updating the Signatures...
  ++ Adding the "CONFICKER-1" Signature
  ++ Adding the "CONFICKER-2" Signature
  ++ Updating the Extensions...
 
- Examining Rule "Allow RSA SecurID"...
  ** Nothing to do here...
 
- Examining Rule "Block Countries"...
  ** Nothing to do here...
 
- Examining Rule "Default rule"...
  ** Nothing to do here...
 
 
Saving the changes
 
C:/

(in reply to SteveMoffat)
Post #: 5
RE: important How to block new viruses "Conficker-... - 30.Mar.2009 6:50:10 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Right click any of your rules that contain HTTP and select the 'Configure HTTP' option - in the Signatures tab, you should see new ones for Conficker added to the list. It also looks like it adds new file extensions to block too...

This allows ISA to inspect the HTTP traffic, looking for Conficker style requests which it will drop...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dspecht)
Post #: 6
RE: important How to block new viruses "Conficker-... - 30.Mar.2009 7:43:37 PM   
dspecht

 

Posts: 5
Joined: 30.Mar.2009
Status: offline
Thanks for the info and the speedy response Jason!

(in reply to Jason Jones)
Post #: 7
RE: important How to block new viruses "Conficker-... - 30.Mar.2009 7:52:40 PM   
dspecht

 

Posts: 5
Joined: 30.Mar.2009
Status: offline
When I right click on rules with http, Im not offered a "Configure HTTP" option. I know this post is under ISA 2004/Policies but I am running ISA 2006. Could that be why Im not seeing the aforementioned option?

I do see "configure FTP when there is a FTP" protocol

(in reply to Jason Jones)
Post #: 8
RE: important How to block new viruses "Conficker-... - 31.Mar.2009 6:18:14 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No, it's probably because you have unbound the Web Proxy Filter from the HTTP protocol for some reason...

Edit the HTTP protocol and look at the bootom of the window...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dspecht)
Post #: 9
RE: important How to block new viruses "Conficker-... - 9.Nov.2009 11:44:25 PM   
srjshiva

 

Posts: 28
Joined: 22.Dec.2008
Status: offline
Hi,

What would be the Roll backup option in case of any issues.

_____________________________

Regards,
Shiv

(in reply to Jason Jones)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> important How to block new viruses "Conficker-A,W32.Downadup " Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts