|
|
 |
|
NetIntercept® Case Studies
|
| |
|
Finding Infected Machines with NetIntercept
Virus Tracking
When the NIMDA virus struck in September, 2001, many system administrators were
caught flat-footed. Sprawling installations, including undocumented systems
and unauthorized software, made it difficult to nail down exactly
where the virus first invaded the organization, or which machines
were spreading it. By the time administrators became aware of
it, it was already pervasively established. The dreaded NIMDA was mailing
itself, opening network file shares, and piggy-backing on HTTP transfers
trying to connect to cmd.exe.
As any systems administrator
can tell you, it's always the last ten percent of infected machines that
are the hardest to find. The laptop that is only hooked up to the network
when it is in the office or the machine that is turned off when you run the
network virus scanner can make eliminating a virus difficult. Virus eradication
is an all-or-nothing proposition -- either you get it all or it comes back.
So How Did NetIntercept Help Catch NIMDA?
The systems administrator did not become aware of the infection until
Monday, so it had the entire weekend to spread through the organization.
Information security web sites taught him that one of NIMDA's signature
behaviors was its attempts to connect with cmd.exe.
Using the NetIntercept machine set to monitor the internal network,
the systems administrator scanned the last week of traffic for
all HTTP requests involving that filename. NI identified the guilty
machines, including a laptop that had not been in the office since the
Wednesday previous. Total time to identify the problem systems: 45 minutes.
As a final touch for community service, the Sysadmin also ran the same test
on the NetIntercept machine that collected data on the network outside the
firewall, and sent mail to a few high-visibility web sites that were still
spreading the virus from their servers.
|
Download the
demo
and discover: The Truth is on the Wire.
|
|
|
Sandstorm Home
Products
