Re: RE: Suspicious network activity advice

[levinson_k () securityadmin info]

I would be hesitant to recommend quarantining the system and watching for a recurrence, because what if this was caused 
not by viruses on that computer but by normal Windows behavior by the user?

I believe I've seen traffic like this before, and I believe the company would see log files like this on other systems 
if they looked, and if other users are using the same software the same way.  The company should get a second opinion 
from a security expert or from the software vendor themselves.  A phone incident with Microsoft costs US $295 or less, 
phone numbers at www.microsoft.com/support.  Even a google search for the error messages might help confirm this is 
normal activity.  Windows event logs and personal firewall logs (for example, I'm not sure what logs these are) contain 
a lot of entries that don't make sense to most people, and it is a big mistake to assume that something is malicious 
just because you don't understand it or there's a lot of it.  The problem can be even worse if someone at the company 
changed the system configuration to be more verbose.

You might ask what could be the possible motive to log into a system for a second, three times a day.  You might ask 
them to look for similar log entries involving other computers and other users.  You might ask them if the log entries 
identify your personal login account, or your Windows workstation machine account.

On the other hand, once something like this happens, in some cases it may not be possible to restore the working 
relationship at that company even if you are exonerated.  It is possible that their eagerness to jump to this 
conclusion reveals some kind of distrust of you that preceded this incident.  Good luck.

kind regards,
Karl Levinson
http://securityadmin.info