Re: Quarantine your infected users spreading malware

[Jim Segrave <jes () nl demon net>]

On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:
> --On February 23, 2006 8:02:31 AM -0600 Jack Bates <jbates () brightok net> 
> wrote:
>
> > We allowed users back online to run Housecall at trendmicro for free so
> > they could get cleaned up and save some money. However, the resuspend
> > rate was so high, we quickly changed to offline cleanup only. It will
> > remain until we perfect our auto defense system.
> >
> > Customers just want things to work. They don't care if they are infected.
> > It's amazing how many customers swear they aren't scanning or sending
> > email, and refuse to understand that their computer is capable of doing
> > things without them knowing.
>
>
> What doesn't help is the ISPs out there who are complete dolts and first 
> don't verify reports and second false alarm.  They'll cut a user off on a 
> single complaint without any evidence or verification.  Or worse they have 
> some automated system that false alarms without any way to verify you're 
> cleaned up.  And if you can't get online you can't get cleaned up anyway. 
> Catch 22.  

www.quarantainenet.nl

It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.

It uses honeypots to avoid false positives. 

In short, it works.


-- 
Jim Segrave           jes () nl demon net