Virus’d - The Follow-up
Posted on February 8, 2008
One Comment
I mentioned a couple days ago that we had a small virus outbreak at the office this week. Thought I got it all cleaned up Wednesday night, but I ended up chasing it a bit more last night as well.
Tip: Turn off the Windows System Restore thingy before chasing viruses. Turns out ours got saved into there. Fortunately, good old Symantec AV spotted and killed it again.
I followed up on my threat and banned all instant messaging clients except for Google Talk. We use the (enterprise) hosted Google Apps for email and calendar and Google Talk logs right into the mailbox which is handy. Our Talk adoption had been a bit sluggish, but now that they offer group chats I’m “forcing” the conversion to happen.
I’m surprised, I was expecting someone to insist that IM’ing with friends and family on the corporate computer is a god given right. In fact, perhaps I was looking forward to the argument! Fortunately, so far I honestly haven’t heard any grumbling. In fact, some folks seemed kind of relieved.
Here’s the wrinkle though: Enforcement of this new anti-most-IM-clients policy.
My office firewall does a great job, but it just doesn’t muster the moxy to take on the kind of filtering I’d need to block the clients on the wire. I suppose I could go the proxy server route but …. yuck. I’d really rather not if I can avoid it.
Can’t just do ports since most clients will fall back to good old port 80 (http) if nothing else is open. Can’t block the web!
Instead, I think that I won’t waste time blocking IP addresses, protocols, executables. I’ll just periodically and randomly have a sniff of the network and see if anyone is running IM clients.
I’ve been using ntop on a make-shift Xubuntu machine since July (previous mention) and been quite happy with it. I know that it will, at a minimum, let me know if some of the IMs are in use. It might do more — I just haven’t needed to experiment yet. I figure ntop combined with Wireshark (formerly known as ethereal) should get the job done, right?
One wrinkle: That old make-shift Xubuntu machine died last night (CPU fan threw a wobbly — why replace the fan on a P3-500?).
While pondering my options, I came across OPENXTRA and their free network management tools for Windows. Intriguing…
I’m now building a Windows 2000 Server on an old’ish Dell 2400 (2.4 celeron) and then will install the windows version of ntop and a version of Wireshark (theirs or the “real” one, not sure yet) and see how this works out.
Any other interesting ideas on either enforcing no IM or detecting it? I’m all ears!
Tags: antivirus, google-talk, im, ntop, security, symantec, virus, Windows, windows-2000, Wireshark, xubuntu
Possibly Related Posts
Comments
One Response to “Virus’d - The Follow-up”
-
» pingback »
Meebo and Google Talk with Google Apps » Solo Technology on
June 24th, 2008 8:01 am
Leave a Reply
