Hi All,

You want your network secure so have to folow the following points.

• File system protection
Consider how your network resources should be protected. All file servers should have an antivirus solution that actively scans the file system in real time so that, as files are modified or added, the antivirus application can quarantine or repair the affected files before they spread to client systems or other servers. The server should also be protected at the file system level in other ways. For example, all Windows servers should use NTFS, since FAT offers essentially no security. You should also eliminate unnecessary shares, require share permissions for all shares, and use hidden shares where possible to further protect the server from worms that propagate through unprotected shares.

• Don't open an attached file if you do not know what it is, who sent it to you, or you were not expecting it (even if it is from somebody that you know.)...

In the past, we see threats modify Windows host file to redirect AV vendor websites to 127.0.0.1 loopback address.
Some security software also injects known bad URLs into the same host file with 127.0.0.1 loopback address.

Well nowadays the bad guys are getting smart and does more advanced stuff than host file modification.

In few recent malwares [ie. Conficker aka Downadup], we see that infected machines are unable to access AV vendor sites although the host file is empty.
And ping to av website yield a 127.0.0.1 address resolution.

Well now there are a few tricks we can do to evade this issue.

Its an old trick by removing DNS cache on our machine and check it everytime required to the DNS server.
Microsoft has a KB for this as written in support.microsoft.com/kb/318803 .
It is as simple as typing : 'net stop dnscache' or 'sc servername stop dnscache' [...

I was facing another issue - being a gov't agency, we run at short staff all the time. The boss wants central management of everything, but that still takes people to manage it.
One of the things deemed most critical is the antivirus protection on our clients. Yes, there are audits one can perform, be it by SMS (but it has to know what to look for) or by Symantec's own products, but that takes people to RUN the audit, then filter through and understand what one is seeing. And if you have 45 different subnets, then searching computers via subnet is painstaking. There's the old "get a list from xxx and search from that list" trick, but computers constantly change, they must be turned on to successfully audit, and what if they are off at that very moment of your audit? Some were always falling through the cracks.
There is only one constant - any time a person here logs in, they run our login script. Period. I've found not exceptions (hope not, I set it up that...

Conficker; there has probably never been a virus or worms with so much written about it.  And now that’s it’s April 1st and the world has not come to an end, many people are no doubt questioning whether Conficker was a bust and nothing we didn’t needed to worry about, if the threat itself was over hyped, and it all the electronic ink spilled about this threat was worth it.  I’ll give you my opinion, but first a status update of Conficker.

April 1st has come and as predicted machines infected with Downadup.C have switched to the new communication algorithm.  But when these infected machines are able to communicate back to a Command & Control server they are not getting updated with a malicious code payload.  In other words, no large or small, malicious attack has been unleashed by Conficker.

So is Conficker a bust for the bad guys?  No.  One thing we can tell about this worm is that whoever...