Prev: ircphate.exe- trojan
Next: swp2009 virus
From: John on 28 Dec 2009 06:57
If a PC is infected by a virus, it is sometimes difficult to know or detect
with virus scanner because most virus can cloak themselves. But they usually
have some sort of LAN or internet traffic, either in an attempt to infect
other PCs on the LAN, or to download "payload update", or to send off stuff
collected (bank account info, ...).

So, is there a network monitor specifically designed to detect virus
activity on a home LAN that I can run on a dedicated PC?


From: rakesh on 28 Dec 2009 09:28
On 12/28/2009 05:42 PM, John wrote:
> If a PC is infected by a virus, it is sometimes difficult to know or detect
> with virus scanner because most virus can cloak themselves. But they usually
> have some sort of LAN or internet traffic, either in an attempt to infect
> other PCs on the LAN, or to download "payload update", or to send off stuff
> collected (bank account info, ...).
>
> So, is there a network monitor specifically designed to detect virus
> activity on a home LAN that I can run on a dedicated PC?
>
>
actually i'm also in search of such tool......
From: "FromTheRafters" erratic on 28 Dec 2009 09:56

"rakesh" <2005.rakesh(a)gmail.com> wrote in message
news:euZx$n8hKHA.2184(a)TK2MSFTNGP04.phx.gbl...
> On 12/28/2009 05:42 PM, John wrote:
>> If a PC is infected by a virus, it is sometimes difficult to know or
>> detect
>> with virus scanner because most virus can cloak themselves. But they
>> usually
>> have some sort of LAN or internet traffic, either in an attempt to
>> infect
>> other PCs on the LAN, or to download "payload update", or to send off
>> stuff
>> collected (bank account info, ...).
>>
>> So, is there a network monitor specifically designed to detect virus
>> activity on a home LAN that I can run on a dedicated PC?
>>
>>
> actually i'm also in search of such tool......

http://www.smoothwall.org/about/express-feature-list/ ?


From: David H. Lipman on 28 Dec 2009 17:44
From: "John" <nospam(a)nospam.com>

| If a PC is infected by a virus, it is sometimes difficult to know or detect
| with virus scanner because most virus can cloak themselves. But they usually
| have some sort of LAN or internet traffic, either in an attempt to infect
| other PCs on the LAN, or to download "payload update", or to send off stuff
| collected (bank account info, ...).

| So, is there a network monitor specifically designed to detect virus
| activity on a home LAN that I can run on a dedicated PC?


Yes... and No...

Most malware doesn't "cloak themselves", per se. For the most part the vast majorty that
are not detected by a given anti virus are just not yet recognized via direct or heuristic
detections. However some RootKit trojans such as TDSS (aka; TDL3) are able to cloak/hide
form most anti virus applications.

FireWall appliances *may* or may not be able to act as a network monitor. It would depend
on the software on the appliance. Beacuse it is an appliance outside the operating
envirment this cloaking becomes a moot point.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Geoff on 28 Dec 2009 22:49
On Mon, 28 Dec 2009 03:57:39 -0800, "John" <nospam(a)nospam.com> wrote:

>If a PC is infected by a virus, it is sometimes difficult to know or detect
>with virus scanner because most virus can cloak themselves. But they usually
>have some sort of LAN or internet traffic, either in an attempt to infect
>other PCs on the LAN, or to download "payload update", or to send off stuff
>collected (bank account info, ...).
>
>So, is there a network monitor specifically designed to detect virus
>activity on a home LAN that I can run on a dedicated PC?
>

Such a tool is called a packet sniffer. It resides on the firewall
machine or is part of the main path at the WAN/LAN interface or on a
machine that can see all the traffic on the LAN. One such tool is
called Snort, http://www.snort.org. The tool is designed to detect
packets that are characteristic of intrusion attempts from outside but
it can be used for outbound packets as well. It all depends on the
rule sets. The sniffer inspects all traffic passing between the
firewall and the LAN and alerts when the rules are triggered. The
drawback is that the characteristic activity must be known in order
for it to trigger, just as the characteristics of the malware binaries
must be known in order to detect their presence. The intent is to
detect intrusion before it happens, an Intrusion Detection System
(IDS), not a extrusion detection since this only occurs AFTER a system
has been compromised and presumably this would only occur when malware
detection has failed. Using white lists and blacklists one can alert
on packets that don't fall within the "approved" parameters.

The philosophy is defense in depth, combining system updates and
maintenance and anti-virus measures with firewall protection and
traffic analysis to detect assaults as they occur. This is usually
more effort than most people are willing to perform to protect their
home computers.
 | 
Pages: 1
Prev: ircphate.exe- trojan
Next: swp2009 virus