RE: 1,800 files missing from system32

[Joe Blatz <sd_wireless () yahoo com>]

A couple of people have pointed out that this could be
a malicious insider. Based on the information I
provided I think that is a highly valid response. What
I failed to mention is that these sites are very
isolated from each other and do not share any common
administrators.

The security model in place is based mostly on the NSA
Windows 2000 guides and far exceeds the OOB security
configuration of W2k.

AV software is set to quarantine infected software.

I had one person respond back that he had seen
similiar behavior (with only 35 files deleted) caused
by Veritas Backup Exec. I'm hoping to get more
details.

Thanks to everyone who has replied thus far, and any
other suggestions on how to track down what is causing
this would be most welcome.


--- MMoll <MMoll () finance nyc gov> wrote:

> There are 2 things that come to mind as check point
> items.....
>  
> a. Evaluate the distribution of admin ID's in the
> production environment.  Best practice is a seperate
> human ID for every day use from admin ID's used for
> admin work.  Point of this is that apparently, the
> benifet of system ACL's are not being realized, and
> could be a factor in the high amount of infected
> files.  In a secure production environment, it is
> difficult for a domain controller to have file
> damage due to intursionary processes.  evaluate the
> security model being used, legacy, enterprise, high
> security, or none.....see microsofts site reference
> to security guides and templates.
>  
> b. Check the settings on the virus software. 
> setting the action to deny access and continue
> scanning, is more desireable than to delete files
> upon dection of intrusionary processes.
>  
> My belief is that someone using an admin enabled
> human ID, is the root cause.


                
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com