Results 1 to 5 of 5

Thread: IsolatingAdware/Spyware

  1. #1
    Junior Member
    Join Date
    Aug 2005
    Posts
    2

    IsolatingAdware/Spyware

    Hi guys im new here and tried to read all the previous posts in order to find an answer to my question but to no luck. Forgive me if im breaking any rules/ediquite. Im not sure where this post should go

    Im dealing with a client who has one router bridging a Telstra Bigpond Modem (Broadband of course). The routers NAT is enabled. The routers DHCP server is enabled. The DHCP clients are two windows xp machines. Lets call these machines Box 1 (B1) and Box 2(B2). Both B1 and B2 are connected via 10/100 ethernet to the router . Both machines are full of spyware/adware threats

    Orignally i was contacted to clean both machines of these threats. Then i was told to only clean B1 . I said yes it is possible with new hardware to clean and isolate B1 with a new router (2 x ip vlans ,one machine on each) . I was told after this that there was to be no new hardware

    Once i have cleaned B1 (of adware/spyware/trojans) i have to isolate it from B2 and still allow B2 to
    access read-only shares on B1. Without knowing what specific osi layers the spyware/adware infect on iam having difficulty. I am thinking my only option is to enable Microsofts Firewall (both machines are protected behind the Gateway NAT already) on B1 . Is it possible to create one rule to block all traffic from B1 TO B2 (and vice versa) excluding port 445 (read only shares). Will spyware/adware (from B2) still be able to infect B1 via port 445?


    *The router mentioned is very basic, and is not capable of advanced features ie DMZ

  2. #2
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021

    Re: IsolatingAdware/Spyware

    Originally posted here by h8spame
    Im dealing with a client [...]

    Then i was told to only clean B1

    Once i have cleaned B1 (of adware/spyware/trojans) i have to isolate it from B2 and still allow B2 to
    access read-only shares on B1.
    Far be it from me to point out the obvious, but isn't the client being stupid?

    If that's the case clean B1, bill them and walk away.

    And you'll find the client becomes a regular source of income
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #3
    Member
    Join Date
    Aug 2005
    Posts
    51

    Question

    I am not sure what you are going to achieve by isolating the two computers?

    I will explain how I would go about cleaning the two machine. I run three computers on my network attached to my dsl modem. If I were going to clean one of the two machines, I would turn off C2 while I removed the problems from the C1. Ad-Aware works great for removing adware.... I use AVG free edition for viruses(nothing works better)... and spybot keeps you from getting infected from the "win a free tv" buttons. To my knowledge..... most spyware does not spread through your network..... Trojans do. If you have a good virus scanner and no viruses... you shouldn't have to worry about C2. Just unplug the network cable from C2 until C1 is clean. If your real question is how to remove spyware without infecting or damaging the other computer, then you should use the 3 program I named above and use TrendMicro Housecall b4 you do anything else.

    Yes you can isolate C2 from C1 and still allow C2 to be a client to C1..... Turn the firewall on C2 on and do not allow connections to any port on C2 that is not desired by C1. Just find the Ip address to C1 and block that IP address from all ports on C2. Now.... On C1 load your firewall up and unblock access to desired ports from C2. If its file sharing...... port 139 I think.

    If any of this helps or you need more help, send me a PM..... I dunno if I will check this thread again.

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Tell you client he is being a jackass and should let you do your job properly. otherwise get it in writing that you cant touch b2, and have a written warning that the infection may return due to the network still being infected. although this shouldnt be the case with spyware/adware. it does not reproduce it self, it usually just connecs and downloads more so infecting a networked computer shouldnt be an issue.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    ( anyone else notice the recurring 8 here? )

    Although steve.milner obviously sees the same thing I do, I would not do what he suggested. I would walk away. Any client that would say such a thing will just bad mouth you to death each time he/she calls you back. In the long run it will be bad for business.

    Since you ( h8spame ) didn't say what these machines are used for ( personal computers or small business with web server, etc. ) it is hard to really give advice except that you need to clean it all, then advise client on appropriate use ( put that in writing if necessary so there is no mistake ) and how to better secure the machines ( and you would do it at additional cost. )

    ( also see XTC46's post above ).
    Additional questions in my mind,
    What type router?
    What capabilities of the router?
    Again, is this a personal network or commercial network?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •