From owner-freebsd-net@FreeBSD.ORG Wed Sep 15 06:55:23 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7468B16A4CE for ; Wed, 15 Sep 2004 06:55:23 +0000 (GMT) Received: from smtp.volant.org (gate.volant.org [207.111.218.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58AED43D46 for ; Wed, 15 Sep 2004 06:55:23 +0000 (GMT) (envelope-from patl+freebsd@volant.org) Received: from 64-144-229-193.client.dsl.net ([64.144.229.193] helo=[192.168.0.22]) by smtp.volant.org with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34 (FreeBSD)) id 1C7Th9-0009y3-QA; Tue, 14 Sep 2004 23:55:14 -0700 Date: Tue, 14 Sep 2004 23:55:11 -0700 From: Pat Lashley To: "Eric W. Bates" , Julian Elischer Message-ID: In-Reply-To: <414793FF.3000008@vineyard.net> References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <414793FF.3000008@vineyard.net> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scan-Signature: 2f0754c78719b3e777a0eabdd9a4ec6fde2533e5 X-Spam-User: nobody X-Spam-Score: -4.9 (----) X-Spam-Score-Int: -48 X-Spam-Report: This mail has matched the spam-filter tests listed below. See http://spamassassin.org/tag/ for details about the specific tests reported. In general, the higher the number of total points, the more likely that it actually is spam. (The 'required' number of points listed below is the arbitrary number above which the message is normally considered spam.) Content analysis details: (-4.9 points total, 5.0 required) -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.0 AWL AWL: Auto-whitelist adjustment cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 06:55:23 -0000 --On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" wrote: > It's a small store. Folks with broken computers bring the > machines in because "It doesn't work". They usually don't > know what is wrong with any given machine; and they try to > be careful (remove the hard drive and attempt to clean it > first); but eventually there is a need to put the machine > on line and try to update Norton's virus list. Befoe bringing it on-line, why not mount the disk on a FreeBSD machine and run ClamAV over all the files? It's not guaranteed to catch everything; but it should at least reduce the window. You could also consider setting it up so that the initial reconnection is on a separate cable going through a firewall that -only- allows the connections necessary to update the Norton virus list. Once it is updated, unplug it from the network, run the virus check, and only then plug it into your main LAN. -Pat