Re: When some is infected?

[ToddAndMargo <ToddAndMargo () zoho com>]

On 10/11/2013 02:04 AM, Nicolas Mitchell wrote:
> On 11 Oct 2013, at 04:11, ToddAndMargo <ToddAndMargo () zoho com> wrote:
>
> > Hi All,
> >
> >    Since I sell Kaspersky and have had a lot of customers
> > on it for years, I have learned that if something gets
> > by Kaspersky, it is going to be a wild ride getting rid
> > of it.   (I get rid of them manually and/or run other
> > vendors stuff at the computer.)
> >
> >    Now a days, when I walk up to a protected computer,
> > my thoughts are "maybe".  Did something get past that is not
> > being detected?
>
> The world is one of possibilities and probabilities.
>
> Things you might consider:
>
> Is the host OS and its applications fully patched. Have unnecessary applications been removed. Is the user able to install 
> additional applications or otherwise make undesireable changes to the host's configuration. Are the user's web habits 
> sensible; have they been given advice about sensible behaviour?
>
> In other words, have reasonable steps been taken to defend against known attacks/vulnerabilities?

Yes.  But ....

> >    Now I am thinking that a well crafted bad guy is
> > going to get past "penetration testing" (PEN).  Although
> > find anything like this is not the scope of PEN
> > testing, I am still thinking it would be ethical
> > to see if any traffic is sneak out that is not suppose
> > to be.
>
> Penetration Testing is one thing, testing the integrity of hosts within a network is another. Maybe not a question of 
> ethics but of customer care.

Agreed.

> >   So I was thinking that I should turn off all network
> > traffic producing programs I know of on the POS computer,
> > and just sit watching its outgoing traffic to make
> > sure there is no bad guy Command and Control going on.
> > Does this make sense to you?
>
> If you are responsible for this computer and you wish to verify its integrity, you might:
>
> - Wipe it and reinstall the OS and applications; enforce policies that prevent unauthorised changes.

As a lst resort.

> - Clone it and analyse its behaviour at your leisure.

Now that is a cleaver idea!

> - Etc.

> >    Is Wireshark the proper tool for this?
>
> It's a tool; additional tools you might consider using are TCP View/netstat, etc; Process Explorer, Autoruns, etc.
> >


Thank you!
-T


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------