Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Together, multiple tools clean and defend against malware

David Strom outlines various tools to help protect your systems against an onslaught of malware attacks.

Category: Virus prevention
Name of tool: Various tools and tips to fight worm attacks
Company name: Symantec and Microsoft, among others
Price: Mostly free
URL: See below for specific locations
Platforms supported: Windows 2000 and XP users should pay attention

**** = Very cool, very useful

Key features:
Protect your users, especially your laptop users, from subsequent worm attacks.

Be proactive now before the next wave hits.

Preparation will take some time and planning.


The latest RPC Windows vulnerabilities, combined with the performances of August's Blaster and SoBig worm attacks, continue to haunt corporate networks. And the number of new worms and attack vectors will only increase. So I thought I would put together a collection of tips and tools that you might want to arm yourself with. Some of these come from readers, which I humbly acknowledge. Others are my own.

If you've been infected by Sobig or Blaster, you need to assume that whatever Internet connectivity you might have had is temporarily off the air. The best bet, according to Ben Myers, is to create a CD that contains everything you need to get back online. I would include the following: patches to fix both Windows 2000 and XP from Microsoft's WindowsUpdate site, the FixBlast and FixSbigF removal tools from Symantec Security Response. Once you get this CD together you'll want to make duplicates, and send them around to your various remote offices and users as a good preventative measure.

If you get tired of applying the various Symantec patches for each particular virus, you might want to try McAfee's Stinger. It is a single executable, and covers dozens of different viruses, scanning and eliminating them from your drive. You can download it here.

If your users don't have a firewall on their home networks, now is the time to encourage them to get one. Laptops became a clear infection vector during the August worm attacks. Users brought in their laptops after connecting to the Internet from home, and the worms propagated through corporate networks. You might even want to put some corporate policy in place that funds firewall devices for those users who routinely take home their laptops and have cable modems. The various products from Netgear, Dlink and Linksys are all less than $100. I recommend a hardware-based product because it is always on. All of the low-end products come with the port filtering mechanisms turned on by default. The higher-priced units also have the ability to allow specific ports to be opened for specific IP addresses. Be careful, however, because this is how Blaster and its ilk propagate (i.e., using port 69, the tftp port). Having a firewall is essential. Here is a great compilation page from RoadRunner on firewalls, thanks to one reader for pointing it out.

You should close off port 69 and port 135 on your corporate network, by the way -- or only open them for specific IP addresses and purposes. They aren't needed by most applications and users, and they served as another infection vector for the August worm attacks.

Note that these two ports are somewhat different from the ones recommended by the Department of Homeland Security to close off. Their recommendation included port 135 but also mentioned port 139 and 445. Closing off port 135 will break legitimate applications, including Outlook/Exchange transactions that occur over the public Internet. (For a complete list of ports used by Exchange, visit this site.) Granted, this isn't the best way to configure your Exchange servers, and it is not recommended by Microsoft, as Scott Johnson reminded me, but I know many smaller businesses that use it in this fashion. As a result of the August attacks, many broadband Internet providers have closed these ports either temporarily or permanently. You can do one of three things: install a virtual private network (VPN), use Outlook Web Access or upgrade to Exchange 2003 (which isn't available from Microsoft for a few months, although betas are widespread). Robert Spivack mentioned how the August attacks helped him justify installing a VPN for one of his clients, so the opportunity to help upgrade networks can be a good thing.

While you are at it, several readers suggested that you should also put a software-based firewall on all your laptop users or get them Macintosh-based laptops. This may strike you as overkill, but I had a situation last month that made me realize that this was becoming essential. I was in Florida attending a computer conference at a Disney hotel in Orlando. The hotel lacked a firewall, and as a result, everyone's laptop became infected when they connected to the hotel's broadband Ethernet network.

Another group of readers reminded me that you can still get infected on dial-up networks. One reader reported that he was signed on for less than three minutes before getting "Blasted". You can't have too many layers of protection. The software-based firewalls I recommend are Norton Internet Security and Zone Alarm.

Finally, if your users are installing a wireless network in an apartment building or you are installing one in a shared office building, please turn on your encryption key. Also consider a wireless gateway/access point product like those from Watchguard and SonicWall that separate the wireless and wired networks. You can't be too careful.

Together, these tips and tools will help you regain your network and conquer the next round of attacks.

Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.

About the author
David Strom is the technology editor for VARBusiness magazine. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at dstrom@cmp.com.

For more information on this topic, visit these resources:

This was last published in September 2003

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.