Re: Conflicker/NMAP

[Jerry Sell <Jerry_Sell () BYU EDU>]

There are three things that mitigate the Confickr worm.


1.      Up to date Virus protection. All of the major vendors and most of the small vendors have signatures that will 
detect and remove Confickr.

2.      Up to date patches or blocking for port 445.

3.      Having autorun disabled for USB devices.

We have not detected anything so far using the scs scanner, but we have all three of these in place.

Thank you,

Jerry Sell, CISSP
Security Analyst
Brigham Young University
(801)422-2730
Jerry_Sell () byu edu<mailto:Jerry_Sell () byu edu>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harris, 
Michael C.
Sent: Tuesday, March 31, 2009 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Using both the Python scs scanner and the Nmap method we have had unbelievable results as well.  Enough to make me 
question both scanning methods.  I have not yet infected a machine in quarantine and scanned it to prove the false 
negative. if I can prove that either way I'll post again later today.

Mike
University of Missouri

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Consolvo, Corbett D
Sent: Tuesday, March 31, 2009 9:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Conflicker/NMAP
I realize many folks may not want to answer this, but has anyone had many positives/infections with the released nmap 
scan for Conflicker?  So far we seem to be coming up clean and many other folks I've talked to or emailed with have 
come up clean as well.  I'm just concerned about the possibility of false negatives.  Of course, the problem may not be 
particularly wide-spread except in the eyes of some media outlets.

Thanks,
Corbett Consolvo
Texas State University