Security Basics mailing list archives
Re: RE: Suspicious network activity advice
From: levinson_k () securityadmin info
Date: 29 Dec 2006 23:58:19 -0000
I would be hesitant to recommend quarantining the system and watching for a recurrence, because what if this was caused not by viruses on that computer but by normal Windows behavior by the user? I believe I've seen traffic like this before, and I believe the company would see log files like this on other systems if they looked, and if other users are using the same software the same way. The company should get a second opinion from a security expert or from the software vendor themselves. A phone incident with Microsoft costs US $295 or less, phone numbers at www.microsoft.com/support. Even a google search for the error messages might help confirm this is normal activity. Windows event logs and personal firewall logs (for example, I'm not sure what logs these are) contain a lot of entries that don't make sense to most people, and it is a big mistake to assume that something is malicious just because you don't understand it or there's a lot of it. The problem can be even worse if someone at the company changed the system configuration to be more verbose. You might ask what could be the possible motive to log into a system for a second, three times a day. You might ask them to look for similar log entries involving other computers and other users. You might ask them if the log entries identify your personal login account, or your Windows workstation machine account. On the other hand, once something like this happens, in some cases it may not be possible to restore the working relationship at that company even if you are exonerated. It is possible that their eagerness to jump to this conclusion reveals some kind of distrust of you that preceded this incident. Good luck. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: RE: Suspicious network activity advice levinson_k (Jan 02)
- <Possible follow-ups>
- RE: Suspicious network activity advice Jim Parkhurst (Jan 04)
- Re: Suspicious network activity advice davestout (Jan 04)
- Re: Suspicious network activity advice davestout (Jan 04)
- RE: Suspicious network activity advice Murda Mcloud (Jan 04)
- Re: Re: Suspicious network activity advice levinson_k (Jan 05)
- Monitoring System_DB Admin activities WALI (Jan 08)