Endpoint Protection

 View Only
Back to Library

Checking the Temporary Internet Files folder for better security 

May 06, 2009 06:10 PM

Monitoring for virus coming from the Internet would really help in preventing infections, at least on the entry-point where a client accesses a malicious website.
My first step would be to get the reports from the SAV or SEP reporter. The file would contain information on the infection particularly the path where the infection was detected.
Internet files would be stored in C:\Documents and Settings\username\Local Settings\Temporary Internet Files

Take note of the computer name, the username, and the time of infection.

I'm using Internet Explorer History Viewer and checking the remote PCs visited sites (assuming that the user hasn't yet deleted the history) and cross checking the sites visited at the time of infection.
The application shows the history in html table format so it's easy to see the sites visited.

I also use Norton Safe Web to get additional details on the website that was visited. https://safeweb.norton.com

Based on that analysis, I can block specific websites to prevent users from accessing them ever again. This also includes pop-ups addresses.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jun 14, 2009 11:29 AM

@Ghe21. Thanks for pointing that out. I've taken that into consideration. I'm betting on the fact that experienced users would be more responsible in a sense that they wouldn't visit sites that they know would compromise the security of the machines they're using especially if it contains company sensitive information.
I can still catch them if I worked fast enough. That would mean monitoring the alerts almost always. And if they're experienced, they'd probably be using other applications to mask their browsing.
You can also disable the option for them to make changes to the settings if possible. But then, they can also find a way to bypass your policies. Someone taught me that.

Migration User
Jun 12, 2009 11:45 PM

sometimes experienced users delete their temp file to hide from admins like us..
thanks

Migration User
Jun 06, 2009 06:39 AM

thanks for all the information...

Migration User
May 08, 2009 12:40 PM

There is also a Firefox History Viewer that you could use.

Migration User
May 07, 2009 10:22 PM

Hi nel, it would be the same, you can use the IP with no problems.

Migration User
May 07, 2009 10:20 PM

That is right but if the user is on another computer in the network, we shall be using this thread below.

\\computername\c$\Documents and Settings\user\Local Settings\History

Had you used the IP instead of the computer name before team?
always using the computer name ever since..
maybe i'll try it later...

Thanks.

Migration User
May 07, 2009 10:00 PM

Hi G_70508, mon_raralio is referring to the folder c:\Documents and Settings\user\Local Settings\History which IEHV(history viewer) reads.

Migration User
May 07, 2009 09:11 PM

But hope that the culprit would not be wise enough to clear its footprints (deleting the history)... 
If so would there be a better tool to use... a more dealier one?
any thoughts team?
thanks. 

riva11
May 07, 2009 12:34 PM

I agreeabout the nice tool IEHistoryView by Nirsoft. Also in this wsebsite there are really many tools that in the past helped me a lot.
regards
Paolo

Migration User
May 07, 2009 11:01 AM

@G_70508: The history viewer I talked about can see the IE history including pop-ups and links clicked - assuming that they have been successfully opened. Some files can that was also viewed can be seen on this software.

Migration User
May 07, 2009 07:26 AM

isnt the way of opening the websites effects the temporary downloaaded Files....

i mean if we are opening site bt clicking on link the some gets download in temporary folder ...

Migration User
May 07, 2009 04:52 AM

Better also to get the root cause where the user got the virus using iehv.exe.
We had tried it and had got the users ie history. of course if they had not yet deleted it.

http://www.nirsoft.net/utils/iehv.html

Thanks.

Migration User
May 06, 2009 09:40 PM

Safeweb from Norton is great. But I believe this is dependent also from user's feedback on the website. I think we should be active on safeweb too.

Related Entries and Links

No Related Resource entered.