Temporary Block Policy on Symantec Anti-Virus Exploited Hosts

Thread: Temporary Block Policy on Symantec Anti-Virus Exploited Hosts

Search this list only Search all lists
Temporary Block Policy on Symantec Anti-Virus Exploited Hosts
	2006-12-21 21:48:08
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Due to the level of compromise and aggressiveness of some of the recent attacks exploiting the older versions of Symantec Anti-Virus/Client Security software running in managed mode, System and Network Security Team will be enforcing temporary block policy on all campus hosts detected as having been compromised by this vulnerability. We will be placing immediate blocks on affected hosts until they have been rebuilt. You will continue to receive the normal compromised host notifications from SNS. If a host is blocked, you will receive an email update with the original ticket number. All the hosts found to be compromised as of yesterday have already been blocked, and we will be checking about once a day over the break to block any new infected hosts or release the block on cleaned hosts. A list of all blocked hosts can be accessed at any time on our website: http://sec-info.berkeley.edu/cgi-bin/blockinfo-login.pl/ Currently Symantec Anti-Virus will not detect most versions of malwares related to these attacks and we do not know the full extent of the compromise. Therefore, the only recommended solution at this time is to completely rebuild the host from known secure media. Please note that hosts running the latest versions of Symantec Anti-Virus or Symantec Client Security are immune to this attack as are hosts running their Symantec software in un-managed modes. All of these attacks start by connecting to TCP port 2967, so another helpful defense would be to block access to port 2967 from any host other than the manager server. We also recommend that users turn off their desktop machine when going on their holiday break if possible. System and Network Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFiwEYabYFMfj0iXwRAmnxAJ9ZvsvWqnwJUhpKUvi0Yx7ciDep4wCa A2Zs 5ymGFenm5pn9BE++1H11+U0= =C1Oh -----END PGP SIGNATURE----- ------------------------------------------------------------ ------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.be rkeley.edu/>.

[1]

about | contact Other archives ( Real Estate discussion Medical topics )