Forefront Client Security TechCenter >
Forefront Client Security Forums
>
Forefront Client Security Malware Technology and Response
>
Conficker.B - Where to find threat Source?
Conficker.B - Where to find threat Source?
How do I determine the threat source that is attacking other computers? McAfee will report the "threat source", which makes dealing with an issue much easier. I have not been able to find the "threat source" data in Forefront. Can anyone shed some light on where to find the "threat source" data in Forefront.
As you all probably know, this is critical information for fighting outbreaks.
Answers
- In my experience with dealing with conficker, I checked the eventlogs on the Domain controllers. conficker tries to comprimise user accounts by guessing passwords. If an account gets locked out you can see the source (system name) of where the logon was tried.
Maybe this helps you for a part.- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, August 10, 2009 1:13 AM
All Replies
- There is none to my knowledge. It would be interesting to hear if anyone knows. I'll also shoot a question to the FCS team.
I do agree with you that it would be very helpfull. You may have to dust off an old network sniffer like wireshark.
/Johan
MCSE, forefront spec | www.msforefront.com - In my experience with dealing with conficker, I checked the eventlogs on the Domain controllers. conficker tries to comprimise user accounts by guessing passwords. If an account gets locked out you can see the source (system name) of where the logon was tried.
Maybe this helps you for a part.- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, August 10, 2009 1:13 AM
- Hi,
I've got no info on Forefront but what we did was to configure MOM 2005 (Microsoft Oeprations Manager) to alert us whenever EventID 644 appeared in the Securitylog of a DC...this is the even that tells you a given account is locked...but it also tells you the source computer etc. We then launch (Lockoutstatus - rsekit utility if i'm not mistaken) and there you configure the account/domain you want to see the status of. This helps out quite a bit by looking at all DCs for the status of the account...(you can unlock them usinbg the same console). We've been harassed by Conficker.C lately...Hope it helps! - Using Forefront Client Security I've "smart cleaned" a computer with the conficker only to get the popups again. Is it possible the source is still somewhere on the network? Should I expect FCS to prevent the file from accessing the computer or only detecting it after its been infected?
I realize I could enable the windows firewall here, but it sounds like I'd have to shut off file and print sharing which we need for our environment (SCCM needs it)
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Do you still have Exchange 2000? Looking to upgrade to Exchange 2010? Read how. - See my other post on other thread. FCS is stopping the file from reaching the computer it basically is suspending it immediately when it is written to disk and scanning it. Once scanned and determined as malware it removes it noting the path that it was attempted to copy to.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
