[88983] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Jim Segrave)
Tue Feb 28 04:29:41 2006
Date: Tue, 28 Feb 2006 10:29:12 +0100
From: Jim Segrave <jes@nl.demon.net>
To: Michael Loftis <mloftis@wgops.com>
Cc: nanog@merit.edu
Reply-To: jes@nl.demon.net
Mail-Followup-To: Jim Segrave <jes@nl.demon.net>,
Michael Loftis <mloftis@wgops.com>, nanog@merit.edu
In-Reply-To: <C0CAC90CB36185E5C5D86C20@ZOP-G4>
Errors-To: owner-nanog@merit.edu
On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:
>
>
>
> --On February 23, 2006 8:02:31 AM -0600 Jack Bates <jbates@brightok.net>
> wrote:
>
> >We allowed users back online to run Housecall at trendmicro for free so
> >they could get cleaned up and save some money. However, the resuspend
> >rate was so high, we quickly changed to offline cleanup only. It will
> >remain until we perfect our auto defense system.
> >
> >Customers just want things to work. They don't care if they are infected.
> >It's amazing how many customers swear they aren't scanning or sending
> >email, and refuse to understand that their computer is capable of doing
> >things without them knowing.
>
>
> What doesn't help is the ISPs out there who are complete dolts and first
> don't verify reports and second false alarm. They'll cut a user off on a
> single complaint without any evidence or verification. Or worse they have
> some automated system that false alarms without any way to verify you're
> cleaned up. And if you can't get online you can't get cleaned up anyway.
> Catch 22.
www.quarantainenet.nl
It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.
It uses honeypots to avoid false positives.
In short, it works.
--
Jim Segrave jes@nl.demon.net
