[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: Quarantine your infected users spreading malware

On Monday 20 February 2006 22:40, Gadi Evron wrote:

> Some who are user/broadband ISP's (not say, tier-1 and tier-2's who
> would be against it: "don't be the Internet's Firewall") are blocking
> ports such as 139 and 445 for a long time now, successfully preventing
> many of their users from becoming infected. This is also an excellent
> first step for responding to relevant outbreaks and halting their
> progress.
>
> Philosophy aside, it works. It stops infections. Period.

Umm.. sorry, but it doesn't. :-)

While blocking ports 139 and 445 does help in reducing the number of 
infections, it doesn't stop them. We have here mostly user-friendly ISP's that 
offer antivirus and antispam protection along with blocking ports (turned on by 
default, and people don't know they can change that), but that just reduced the 
speed of spreading and gave some more protection to users, but people here 
still get infected, despite antivirus and port blocking. 
Antivirus software can't cope with brand new virus/worm/malware until it is 
detected and signature is distributed, so there's always a small chance you 
might get another e-mail that passed the checkpoints. And users are... umm... 
(searches google for polite variations of "idiot") ... gullible - they will 
just click on that "free sex" icon. 

The other part of the problem is that ISP's (in my country, at least) usually 
do not offer such services for their lease-line customers, or they charge them 
pretty penny for such services. Users on leased lines are up to their own 
defences, which in many cases mean they have little to no defences.

-- 
Radoslav Dejanovi?
Operacijski sustavi d.o.o.
http://www.opsus.hr
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/