ISP network registration virus scan
The university netreg lists has a frequently asked question if its possible to perform a virus scan of new computers as part of the network registration process. So far, people have only been able to do a network scan (e.g. open ports), or some version of proxy check or nessus. But none of those actually tell you if there is a worm or trojan. I was wondering if anyone (or vendor) has come up with a web application which ISP's could use to check if new customers are already infected with a network worm or trojan (not a full disk scan) as part of the registration process. It seems like several of the anti-virus vendors have the parts and pieces, but none of them seem to offer such a product for ISPs. I would think an ActiveX application could check for the top 20 or so network trojans or worms (less than 1 minute to do the checks), and report the results back to the ISP (or university) network registration web site. Between universities (with new students) and ISPs (with new customers) there would seem to be a new market for such a product. But so far I haven't found an AV vendor that has put it together.
Sean Donelan wrote:
The university netreg lists has a frequently asked question if its possible to perform a virus scan of new computers as part of the network registration process. So far, people have only been able to do a network scan (e.g. open ports), or some version of proxy check or nessus.
The University of Florida has implemented something like this. Apparently, they have a client-side app that detects malware...and P2P apps. Interesting concept but it's understandably not being received well. http://yro.slashdot.org/yro/03/10/03/1643202.shtml apl
On Fri, 3 Oct 2003, Alex Lambert wrote:
The university netreg lists has a frequently asked question if its possible to perform a virus scan of new computers as part of the network registration process. So far, people have only been able to do a network scan (e.g. open ports), or some version of proxy check or nessus.
The University of Florida has implemented something like this. Apparently, they have a client-side app that detects malware...and P2P apps. Interesting concept but it's understandably not being received well.
That's just a normal network traffic flow monitor, it doesn't actually check the user's computer. The issue is how to check the computer is "fixed" after the user claims its fixed. Or do you just keep repeating the cycle of user claims the computer is fixed, enable the port, computer attacks other stuff, disable the port, user claims its fixed, repeat.
for most virus type stuff i find an acl on thier nearest interface to both deny and log thier traffic patterns is helpfull. im not sure how feasable that would be on a larger network. i've only got about 10k users so the above is not yet unreasonable. On Fri, 3 Oct 2003, Sean Donelan wrote:
Date: Fri, 3 Oct 2003 20:57:20 -0400 (EDT) From: Sean Donelan <sean@donelan.com> To: Alex Lambert <alambert@quickfire.org> Cc: nanog@merit.edu Subject: Re: ISP network registration virus scan
On Fri, 3 Oct 2003, Alex Lambert wrote:
The university netreg lists has a frequently asked question if its possible to perform a virus scan of new computers as part of the network registration process. So far, people have only been able to do a network scan (e.g. open ports), or some version of proxy check or nessus.
The University of Florida has implemented something like this. Apparently, they have a client-side app that detects malware...and P2P apps. Interesting concept but it's understandably not being received well.
That's just a normal network traffic flow monitor, it doesn't actually check the user's computer.
The issue is how to check the computer is "fixed" after the user claims its fixed. Or do you just keep repeating the cycle of user claims the computer is fixed, enable the port, computer attacks other stuff, disable the port, user claims its fixed, repeat.
Ryan Dobrynski Hat-Swapping Gnome Choice Communications Like the ski resort of girls looking for husbands and husbands looking for girls, the situation is not as symmetrical as it might seem.
: or some version of proxy check or nessus. I am still not having any luck with Nessus and the MS virus plug in. I have been scanning my users (20K) and not finding any viruses. No way ! This is after I removed ACL's through out the network. Gotta read some more on this, this weekend. I would love to have this functionality, the user Radius info is in SQL so it would be easy to script a check to run whenever and send an e-mail to the support desk (and user) to contact them. James Edwards Routing and Security Administrator jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa 505-988-9200 or Toll Free: 888-988-2700 SIP:1(747)669-1965
participants (4)
-
Alex Lambert
-
james
-
Ryan Dobrynski
-
Sean Donelan