Video Screencast Help
Security Community Blog

Checking the Temporary Internet Files folder for better security

Created: 06 May 2009 • 13 comments
mon_raralio's picture
+5 5 Votes
Login to vote

Monitoring for virus coming from the Internet would really help in preventing infections, at least on the entry-point where a client accesses a malicious website.
My first step would be to get the reports from the SAV or SEP reporter. The file would contain information on the infection particularly the path where the infection was detected.
Internet files would be stored in C:\Documents and Settings\username\Local Settings\Temporary Internet Files

Take note of the computer name, the username, and the time of infection.

I'm using Internet Explorer History Viewer and checking the remote PCs visited sites (assuming that the user hasn't yet deleted the history) and cross checking the sites visited at the time of infection.
The application shows the history in html table format so it's easy to see the sites visited.

I also use Norton Safe Web to get additional details on the website that was visited. https://safeweb.norton.com

Based on that analysis, I can block specific websites to prevent users from accessing them ever again. This also includes pop-ups addresses.

Comments 13 CommentsJump to latest comment

Paul Mapacpac's picture

Safeweb from Norton is great. But I believe this is dependent also from user's feedback on the website. I think we should be active on safeweb too.

+3
Login to vote
Nel Ramos's picture

Better also to get the root cause where the user got the virus using iehv.exe.
We had tried it and had got the users ie history. of course if they had not yet deleted it.

http://www.nirsoft.net/utils/iehv.html

Thanks.

Nel Ramos

+6
Login to vote
riva11's picture

I agreeabout the nice tool IEHistoryView by Nirsoft. Also in this wsebsite there are really many tools that in the past helped me a lot.
regards
Paolo

+7
Login to vote
G_70508's picture

isnt the way of opening the websites effects the temporary downloaaded Files....

i mean if we are opening site bt clicking on link the some gets download in temporary folder ...

0
Login to vote
mon_raralio's picture

@G_70508: The history viewer I talked about can see the IE history including pop-ups and links clicked - assuming that they have been successfully opened. Some files can that was also viewed can be seen on this software.

“Your most unhappy customers are your greatest source of learning.”

+3
Login to vote
Nel Ramos's picture

But hope that the culprit would not be wise enough to clear its footprints (deleting the history)... 
If so would there be a better tool to use... a more dealier one?
any thoughts team?
thanks. 

Nel Ramos

+3
Login to vote
Paul Mapacpac's picture

Hi G_70508, mon_raralio is referring to the folder c:\Documents and Settings\user\Local Settings\History which IEHV(history viewer) reads.

+2
Login to vote
Nel Ramos's picture

That is right but if the user is on another computer in the network, we shall be using this thread below.

\\computername\c$\Documents and Settings\user\Local Settings\History

Had you used the IP instead of the computer name before team?
always using the computer name ever since..
maybe i'll try it later...

Thanks.

Nel Ramos

+2
Login to vote
Paul Mapacpac's picture

Hi nel, it would be the same, you can use the IP with no problems.

0
Login to vote
mon_raralio's picture

There is also a Firefox History Viewer that you could use.

“Your most unhappy customers are your greatest source of learning.”

+1
Login to vote
Sheila Marie's picture

thanks for all the information...

+2
Login to vote
Ghe21's picture

sometimes experienced users delete their temp file to hide from admins like us..
thanks

+2
Login to vote
mon_raralio's picture

@Ghe21. Thanks for pointing that out. I've taken that into consideration. I'm betting on the fact that experienced users would be more responsible in a sense that they wouldn't visit sites that they know would compromise the security of the machines they're using especially if it contains company sensitive information.
I can still catch them if I worked fast enough. That would mean monitoring the alerts almost always. And if they're experienced, they'd probably be using other applications to mask their browsing.
You can also disable the option for them to make changes to the settings if possible. But then, they can also find a way to bypass your policies. Someone taught me that.

“Your most unhappy customers are your greatest source of learning.”

+1
Login to vote