Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

network monitor to detect malware?

329 views
Skip to first unread message

John

unread,
Dec 28, 2009, 6:57:39 AM12/28/09
to
If a PC is infected by a virus, it is sometimes difficult to know or detect
with virus scanner because most virus can cloak themselves. But they usually
have some sort of LAN or internet traffic, either in an attempt to infect
other PCs on the LAN, or to download "payload update", or to send off stuff
collected (bank account info, ...).

So, is there a network monitor specifically designed to detect virus
activity on a home LAN that I can run on a dedicated PC?


rakesh

unread,
Dec 28, 2009, 9:28:15 AM12/28/09
to
actually i'm also in search of such tool......

@nomail.afraid.org FromTheRafters

unread,
Dec 28, 2009, 9:56:19 AM12/28/09
to

"rakesh" <2005....@gmail.com> wrote in message
news:euZx$n8hKH...@TK2MSFTNGP04.phx.gbl...

http://www.smoothwall.org/about/express-feature-list/ ?


David H. Lipman

unread,
Dec 28, 2009, 5:44:26 PM12/28/09
to
From: "John" <nos...@nospam.com>


Yes... and No...

Most malware doesn't "cloak themselves", per se. For the most part the vast majorty that
are not detected by a given anti virus are just not yet recognized via direct or heuristic
detections. However some RootKit trojans such as TDSS (aka; TDL3) are able to cloak/hide
form most anti virus applications.

FireWall appliances *may* or may not be able to act as a network monitor. It would depend
on the software on the appliance. Beacuse it is an appliance outside the operating
envirment this cloaking becomes a moot point.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


Geoff

unread,
Dec 28, 2009, 10:49:12 PM12/28/09
to

Such a tool is called a packet sniffer. It resides on the firewall
machine or is part of the main path at the WAN/LAN interface or on a
machine that can see all the traffic on the LAN. One such tool is
called Snort, http://www.snort.org. The tool is designed to detect
packets that are characteristic of intrusion attempts from outside but
it can be used for outbound packets as well. It all depends on the
rule sets. The sniffer inspects all traffic passing between the
firewall and the LAN and alerts when the rules are triggered. The
drawback is that the characteristic activity must be known in order
for it to trigger, just as the characteristics of the malware binaries
must be known in order to detect their presence. The intent is to
detect intrusion before it happens, an Intrusion Detection System
(IDS), not a extrusion detection since this only occurs AFTER a system
has been compromised and presumably this would only occur when malware
detection has failed. Using white lists and blacklists one can alert
on packets that don't fall within the "approved" parameters.

The philosophy is defense in depth, combining system updates and
maintenance and anti-virus measures with firewall protection and
traffic analysis to detect assaults as they occur. This is usually
more effort than most people are willing to perform to protect their
home computers.

0 new messages