North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: IRC bots...
* Martin Hannigan: > Who's got time for all that? Chase the controller, shut down > the user until they buy some AV software. That should read "AV software from at least three vendors, with direct contacts to research staff of at least one of them", or something like that. While it's very likely that there is at least one vendor which ships signatures that already recognizes the malware you are experiencing, it's far less likely that the single scanner/signature combination you've chosen for desktop installation catches it. Standard, out-of-the-box AV software (with signature updates, of course) is no longer an option for fixing infected machines, at least not without qualified support and independent verification of the results. It's long been said that you shouldn't rely on AV software for recovering from infections (and curiously enough, this was never the way people dealt with UNIX breakins). We are now at a point where the automated tools actually fail, and not just for some philosophical reason (e.g. the bot has got a download component and you just can't know what further malware has been downloaded). (And there's the problem that the users can't get online updates without the Internet connection you've taken away, and AV vendors do not permit mirrors of signature definitions on your network.)