Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19
  1. #11
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,797

    Default

    Quote Originally Posted by ntguru View Post
    So my conclusion is that there was *something* on these machines. It's possible the original infection was cleaned in the original sweep but some secondary piece, perhaps a bot designed to rack up advertising or traffic rankings (ie, malicious/unwanted, but not in the same way Emotet is), wasn't cleaned in the original sweep.
    Which brings us back around to this:

    Quote Originally Posted by sky-night View Post
    in this day and age, you'll never be certain a machine is clean. If it ever had a virus on it, paving it is literally the only sure way forward anymore.
    My take in longer form is here:
    https://superuser.com/questions/1003.../512901#512901
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  2. #12
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,121

    Default

    Quote Originally Posted by ntguru View Post
    So my conclusion is that there was *something* on these machines. It's possible the original infection was cleaned in the original sweep but some secondary piece, perhaps a bot designed to rack up advertising or traffic rankings (ie, malicious/unwanted, but not in the same way Emotet is), wasn't cleaned in the original sweep. Or even, is this some "toolbar-ware" that was unrelated to the infection but that users like to install? Unfortunately, the client only approved installing Untangle in response to the original massive infection, so we have no previous baseline. The real question still remains -- what, and how malicious/concerning?
    Yes, all good questions.

    This brings us back not only to advice about paving, but also to the benefits of supplying an admin with insight into a specific threat. I'm not suggesting Untangle has a shortcoming here. I'm just pointing out that information could be critical to making an informed decision about remedies and the costs associated with those remedies, both direct and indirect. Certainly a threat response ought to have enough nuance to it to be able to address an advertising scam differently from a data-stealing trojan.

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Quote Originally Posted by Sam Graf View Post
    Yes, all good questions.

    This brings us back not only to advice about paving, but also to the benefits of supplying an admin with insight into a specific threat. I'm not suggesting Untangle has a shortcoming here. I'm just pointing out that information could be critical to making an informed decision about remedies and the costs associated with those remedies, both direct and indirect. Certainly a threat response ought to have enough nuance to it to be able to address an advertising scam differently from a data-stealing trojan.
    When your only evidence of that data stealing trojan, is some advert scamming... things get very murky. I've got a small network that I've pulled Emotet from, I haven't had any detections of the Emotet trojan in weeks, yet now I have very small amounts of mail being moved at night, only 20 at a time... on three mailboxes... And I can't get the users to keep the complicated passwords and it's stupid Godaddy junk mail so no two factor.

    None of that helps the OP of course, just saying that in this world we're blind. Nuke and pave may fix the problem, but it only lasts until the user clicks the wrong thing again. And that wrong thing could potentially require nuking the entire network...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    There are shades of grey between an absolute HIPAA/etc type emergency threat (Emotet) and a browser toolbar that sends no data but pops up ads from time to time. In a perfect world, neither of these would be a thing. In an almost-perfect world, IT shops would all the resources to respond to any potential threat--even the mentioned toolbar--instantly and with max effort. Of course, reality is different.

    As far as your small network that had Emotet -- give the Norton boot recovery disk (NRBT) a try if you haven't already. It caught stuff no online AV product caught.

    Quote Originally Posted by sky-knight View Post
    When your only evidence of that data stealing trojan, is some advert scamming... things get very murky. I've got a small network that I've pulled Emotet from, I haven't had any detections of the Emotet trojan in weeks, yet now I have very small amounts of mail being moved at night, only 20 at a time... on three mailboxes... And I can't get the users to keep the complicated passwords and it's stupid Godaddy junk mail so no two factor.

    None of that helps the OP of course, just saying that in this world we're blind. Nuke and pave may fix the problem, but it only lasts until the user clicks the wrong thing again. And that wrong thing could potentially require nuking the entire network...

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Quote Originally Posted by ntguru View Post
    There are shades of grey between an absolute HIPAA/etc type emergency threat (Emotet) and a browser toolbar that sends no data but pops up ads from time to time. In a perfect world, neither of these would be a thing. In an almost-perfect world, IT shops would all the resources to respond to any potential threat--even the mentioned toolbar--instantly and with max effort. Of course, reality is different.

    As far as your small network that had Emotet -- give the Norton boot recovery disk (NRBT) a try if you haven't already. It caught stuff no online AV product caught.
    I've pulled drives from three machines there and hit them with Norton, ESet, Malwarebytes, Clam, and Dr. Web... all clean. Yet, still there in the logs. That's the fun part... is it still infected? Do I have a user surfing porn at the office? Who knows!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #16
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,797

    Default

    Quote Originally Posted by sky-knight View Post
    Do I have a user surfing porn at the office? Who knows!
    In 2019, of course you do. It's (sadly) not even a question any more. Worse, business leaders generally only want technical solutions for what is really a behavior issue rather than a technology issue.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Quote Originally Posted by jcoehoorn View Post
    In 2019, of course you do. It's (sadly) not even a question any more. Worse, business leaders generally only want technical solutions for what is really a behavior issue rather than a technology issue.
    There's a difference between someone looking at adult material on a computer, and a bit of software looking for them. And yet, we cannot at this time tell them apart, at least from the gateway. This gets even more murky when the logged material was only noticed after a confirmed malware infection and repeated cleanup efforts.

    So, while I see your point, there are still plenty of extenuating circumstances possible.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,121

    Default

    Quote Originally Posted by sky-knight View Post
    None of that helps the OP of course, just saying that in this world we're blind. Nuke and pave may fix the problem, but it only lasts until the user clicks the wrong thing again. And that wrong thing could potentially require nuking the entire network...
    My chief concern here is reling on a remedy that isnít really a remedy, for reasons youíve mentioned, for example. But even worse (in my view), nuke and pave isnít really an option on tablets and smartphones, for example. Back to the increasingly important need for better informationóin my own opinion, of course. In my wifeís small business, just one of the five Internet-connected devices routinely on her network is paveable. Iím sure she isnít unique.

  9. #19
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Quote Originally Posted by Sam Graf View Post
    My chief concern here is reling on a remedy that isn’t really a remedy, for reasons you’ve mentioned, for example. But even worse (in my view), nuke and pave isn’t really an option on tablets and smartphones, for example. Back to the increasingly important need for better information—in my own opinion, of course. In my wife’s small business, just one of the five Internet-connected devices routinely on her network is paveable. I’m sure she isn’t unique.
    Yeah, that's why I've done what I can to contain the problems I have instead of suggesting a full network wipe. Even if you do a full wipe, you're one click away from disaster again anyway.

    The real solution is to change out all the authentication engines for everything publicly accessible to two factor. The bad guys can have your password all they want, but if they don't have that TOTP generator on your phone, or at least your cell phone number they aren't logging into anything.

    Of course I'd love to be able to prove the infection is actually dead, but there is only so much a mere mortal can do. Just hope the content control and AV eventually get ahead of it. We really have reached a point where people must not be stupid enough to click on that bad link or attachment...

    P.S. The fact that phones and tablets need a N&P option in and of itself utterly invalidates the sandboxes created to supposedly secure them, which in my opinion destroys their value as a platform utterly. Give me root, or go home darn it!
    Last edited by sky-knight; 01-26-2019 at 12:21 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2