Checking the Temporary Internet Files folder for better security
Monitoring for virus coming from the Internet would really help in preventing infections, at least on the entry-point where a client accesses a malicious website.
My first step would be to get the reports from the SAV or SEP reporter. The file would contain information on the infection particularly the path where the infection was detected.
Internet files would be stored in C:\Documents and Settings\username\Local Settings\Temporary Internet Files
Take note of the computer name, the username, and the time of infection.
I'm using Internet Explorer History Viewer and checking the remote PCs visited sites (assuming that the user hasn't yet deleted the history) and cross checking the sites visited at the time of infection.
The application shows the history in html table format so it's easy to see the sites visited.
I also use Norton Safe Web to get additional details on the website that was visited. https://safeweb.norton.com
Based on that analysis, I can block specific websites to prevent users from accessing them ever again. This also includes pop-ups addresses.
About Security Community Blog
The Security Community Blog is the perfect place to share short, timely insights including product tips, news and other information relevant to the Security community. Any authenticated Connect member can contribute to this blog.
Comments 13 Comments • Jump to latest comment
Safeweb from Norton is great. But I believe this is dependent also from user's feedback on the website. I think we should be active on safeweb too.
Better also to get the root cause where the user got the virus using iehv.exe.
We had tried it and had got the users ie history. of course if they had not yet deleted it.
http://www.nirsoft.net/utils/iehv.html
Thanks.
Nel Ramos
I agreeabout the nice tool IEHistoryView by Nirsoft. Also in this wsebsite there are really many tools that in the past helped me a lot.
regards
Paolo
isnt the way of opening the websites effects the temporary downloaaded Files....
i mean if we are opening site bt clicking on link the some gets download in temporary folder ...
@G_70508: The history viewer I talked about can see the IE history including pop-ups and links clicked - assuming that they have been successfully opened. Some files can that was also viewed can be seen on this software.
“Your most unhappy customers are your greatest source of learning.”
But hope that the culprit would not be wise enough to clear its footprints (deleting the history)...
If so would there be a better tool to use... a more dealier one?
any thoughts team?
thanks.
Nel Ramos
Hi G_70508, mon_raralio is referring to the folder c:\Documents and Settings\user\Local Settings\History which IEHV(history viewer) reads.
That is right but if the user is on another computer in the network, we shall be using this thread below.
\\computername\c$\Documents and Settings\user\Local Settings\History
Had you used the IP instead of the computer name before team?
always using the computer name ever since..
maybe i'll try it later...
Thanks.
Nel Ramos
Hi nel, it would be the same, you can use the IP with no problems.
There is also a Firefox History Viewer that you could use.
“Your most unhappy customers are your greatest source of learning.”
thanks for all the information...
sometimes experienced users delete their temp file to hide from admins like us..
thanks
@Ghe21. Thanks for pointing that out. I've taken that into consideration. I'm betting on the fact that experienced users would be more responsible in a sense that they wouldn't visit sites that they know would compromise the security of the machines they're using especially if it contains company sensitive information.
I can still catch them if I worked fast enough. That would mean monitoring the alerts almost always. And if they're experienced, they'd probably be using other applications to mask their browsing.
You can also disable the option for them to make changes to the settings if possible. But then, they can also find a way to bypass your policies. Someone taught me that.
“Your most unhappy customers are your greatest source of learning.”
Would you like to reply?
Login or Register to post your comment.