[unisog] dns redirection vs local host files which or neither helps in the malware fight

Paul FM (DO NOT REPLY TO THIS ADDRESS) paulfm at umn.edu
Fri Nov 5 18:48:27 GMT 2004

It might be much easier just to put blocking rules in the main 
router/firewall that deny connections to those IP addresses (and also to the 
common malware ports).  The best part is, even if the malware uses pure ip 
addressing to connect (which much of it does), it still blocks it.

Harris, Michael C. wrote:

> I am in a discussion with our workstation support staff about methods of
> blocking spyware and malware
> The workstation and server support folks want to rollout local hosts
> files with an AD policy push and logon files.
> Network folks think modifying DNS entries and doing redirection to an
> internal warning page is a better solution, but not a good one.
> Anecdotally I don't see either of these solutions being manageable but I
> am looking for proof.  If you have links to success or failure stories
> using these methods please send me a link, off list if you prefer.
> (harrismc at missouri.edu)
> Other than the obvious nightmare dealing with the constant churn of the
> malware addresses I would like some input from what other sites have
> done, what works and what doesn't.
> I have done a bunch of googling already and found many host file sources
> but mostly this is geared to individual workstations and small groups
> not as an enterprise solution.  Also the sites via google don't talk
> about the problems
> Thanks
> Mike Harris
> System Security Analyst
> University of Missouri Health Center
> harrismc at missouri.edu KC0PAH
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.

More information about the unisog mailing list