Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IRC bots...

  • From: Florian Weimer
  • Date: Sun Mar 20 16:26:18 2005

* Martin Hannigan:

> Who's got time for all that? Chase the controller, shut down
> the user until they buy some AV software.

That should read "AV software from at least three vendors, with direct
contacts to research staff of at least one of them", or something like
that.  While it's very likely that there is at least one vendor which
ships signatures that already recognizes the malware you are
experiencing, it's far less likely that the single scanner/signature
combination you've chosen for desktop installation catches it.

Standard, out-of-the-box AV software (with signature updates, of
course) is no longer an option for fixing infected machines, at least
not without qualified support and independent verification of the
results.  It's long been said that you shouldn't rely on AV software
for recovering from infections (and curiously enough, this was never
the way people dealt with UNIX breakins).  We are now at a point where
the automated tools actually fail, and not just for some philosophical
reason (e.g. the bot has got a download component and you just can't
know what further malware has been downloaded).

(And there's the problem that the users can't get online updates
without the Internet connection you've taken away, and AV vendors do
not permit mirrors of signature definitions on your network.)

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.