Endpoint Protection

Just to keep everyone upto date, Today’s topics on full-disclosure include a conficker scanner for the network.



Reference: http://security.bkis.vn/?p=560


It's developed by BKIS, The same group who had found out the vulnerability against chrome some time back amongst others

Thanks Sandeep after spreading downadup to whole world this could be a very helpfull for all.

We get scared on downloading any software from internet, especially on the corporate network. Thogh Sandeep's name tag suggest he is a Trusted Advisor. However my point is not refering to his suggestion. I need a best practice in general.

Can someone suggest, how?

Hi,

Good one sandeep, but "eeye retina" also publish such tools wherein you can detect which machines are infected and which machines are having MS08-067 Vulnerability.

Rgrds,
SAM

Yeah, There are ways with Nmap as well to remotely detect the conficker worm
http://insecure.org/#conficker

hi sandeep this is really a good one, very helpful...

I guess this should be the best one.

This is a MS-KB on the removal process/best practice of w32.downadup.B

http://support.microsoft.com/kb/962007



Enabling debug logging for the Net Logon service

http://support.microsoft.com/kb/109626



MS Account Lockout Tools

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en



MS08-67 patch download [KB 958644]

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx



Disable Auto play with GPO

http://support.microsoft.com/kb/953252



Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208



Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549


Once you have Enable Debugging for Netlogon Service you will be able to see which clients are attacking.
Once the source is found it can be remidiated and cleaned.

By disabling Scheduled Task Service
We can stop Downadup from spreading .As it created Schduled Jobs and spread across the network.

Disable autoplay
That is the most important for every worm

Good one Sandeep

How to disable Auto Play?

Hi Tejas, pls check SAV to SEP's post.

Nice one Sandeep.

@SAV to SEP: Great references.
Disabling autoplay really did it.
thanks.

I used GPO to disable autoplay and used SEP to block access to any autoplay.inf file. Nothing at all can possibly start automatically around here. of course most important is the MS patches!
Doesn't help much to have a guard dog if you leave all the windows and doors on a 3 story house wide open at night.

@ShadowsPapa: Definitely agree with you on that.
By the way is there a method to disable USB devices and not disabling USB KB and mouse?
Made a test environment and USB was successfully blocked on the specific client.
the problem is the mouse was also disabled.
thanks.  

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ce3a83c1ce5ca4cf492573fd005d28dc?OpenDocument

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument

@Sandeep Cheema: Nice... Now I have something to play in the test area... you are a life saver friend... thanks!