Blog Home  Home Feed your aggregator (RSS 2.0)  
Syncio Blog - Malware
little tiny electrons
 
Archive
<January 2009>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
Navigation
Home
Users
Chris7
Total Posts7
Comments0
Categories
 
 
 
 
 
 
Blogroll
 bleedingthreats.net
 eventid.net
 infosecnews.org
 isaserver.org
 microsoft.powershell
 rootkit.com
 secunia.com
 security-forums.com
 snort.org
 sqlservercentral.com
 vmware.com
 xtremevbtalk.com
Contact
Send mail to the author(s) Email Me

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

Sign In
 Wednesday, June 18, 2008
ISA 2006 Cache and HTTP Kaspersky Antivirus by Chris

Using the FPCCacheContents Object I was able to force-cache any file I wanted for any duration I wanted. 

1.  I downloaded Cain&Abel executable from source #1 and Kaspersky blocked it.  I verified that traffic was coming from souce #1 with Wireshark.
2.  I force-cached Cain&Abel executable from source #2 to avoid IE caching or anything that might invalidate this test.  The item now exists in ISA cache.
3.  I downloaded Cain&Abel executable from source #2 again.  I verified that traffic was indeed coming from ISA Cache with Wireshark. 
I turned up KAV log files to Debug and verified that the Cain&Abel executable has not been flagged the first time it was downloaded.  Kaspersky blocked Cain&Abel from ISA Cache.
 
Conclusion:

  • HTTP Kaspersky engine interfaces with cache and routed requests. 
  • Anything can be forced into ISA cache.

See the ISA Monitor Utility for cache control.  http://sync-io.net/IsaTools.aspx

Wednesday, June 18, 2008 7:15:11 PM (GMT Standard Time, UTC+00:00)  #    Comments [0]   ISA | Malware  | 
 Wednesday, April 23, 2008
Stopping Malware with ISA 2006 by Chris

I recently came across MalwareDomains.com.  They provide a list of domain names that have been associated with malware.  The list contains over 21000 valid entries and I have decided to integrate it with ISA 2006 since it's rare to find such a free resource that is actually kept up to date.

The import tool is available here: http://sync-io.net/IsaTools.aspx

Basically, you're able to import the domain.txt file into ISA as a URL or DNS set.  Then you just set your deny access rule and away you go.  This utility can run as a scheduled task.

Wednesday, April 23, 2008 1:09:16 AM (GMT Standard Time, UTC+00:00)  #    Comments [0]   Malware | VB.NET | ISA  | 
 Thursday, March 20, 2008
Anti-malware products are a scam! by Chris

Every software company seems to be coming out with the next best way to protect your computer from malware, including viruses.  What happened to educating users on the risks of downloaded content execution and strategies of malware distribution? 

I have included on Syncio's web site a guide to malware identification.  This article is aimed at the more knowledgable user who wishes to identify the infection prior to removing it. 

http://sync-io.net/Community/Rainbow/MalwareIdentity.mht

A great resource for computing and networking concepts can be found at about.com.

http://compnetworking.about.com/od/basicnetworkingconcepts/

http://www.about.com/compute/

NSA has developed guides to securing your operating system.

http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.

 

In an upcoming blog I will describe the practical ways of recognizing malware before it infects your computer...

Thursday, March 20, 2008 5:58:14 PM (GMT Standard Time, UTC+00:00)  #    Comments [0]   Malware  | 
Copyright © 2009 Chris Misztur. All rights reserved.
DasBlog 'Portal' theme by Johnny Hughes.
Pick a theme: