Different ways to protect your net from worms

Nutter helps a reader battle the latest viruses.

I made sure all our servers are patched and the appropriate patches have been installed on the workstations. The anti-virus software we use has been checked for up-to-date signatures and virus engines. We are still getting messages through the e-mail server, some of which have the attachment and some don’t. Are there any other precautions we can take?www.cert.org and get a copy of the CA-2003-20 Advisory on the Blaster worm. Make sure you’re blocking the ports mentioned in the Advisory at your firewall or at the router that connects your network to the Internet. Even though you have probably prepared as best you can, I would also recommend blocking all ICMP traffic outbound from your network. I saw an advisory on Cisco’s Web site, which gave me cause for concern because of the Nachi worm. It can cause excessive traffic outbound through your router to the point at which it causes excessive utilization at the router and could cause the intermittent dropping of interfaces on the router, resulting in momentary disruption of your Internet connection.

 – Via the Internet

Yes, there are. The first thing I would do is go to

You don’t mention what type of e-mail scanning software you’re using, if you are using something. This is another good tool that can block some or all of the messages that contain virus payloads. There are several good packages available.

Until you can find something, get it installed and configured, there is another option you can pursue. By implementing a basic access control list in your router, you can block the IP addresses that are sending most or all of these e-mails to you. From the ones I’ve seen personally, none have come from what I would recognize as a standard mail server. Assuming you’re using Outlook as your e-mail client, display one of the messages that has been going around, click on View, Options and look for the first IP address you see in the Internet headers box. This is the IP address of the system from which your mail server received the message. After you have built a list of the IP addresses sending you virus e-mails, you can create an access control list in your router to block these systems from talking to you. This runs the risk of blocking valid e-mail, but I haven’t had that problem so far. Assuming you are using a Cisco router, go into configuration mode and type access-list 1 (this number may change depending on how may basic access control lists you’re using) deny host x.x.x.x (substitute the IP address of the offending e-mail server here).

Repeat this command for each of the IP addresses you have gathered from the exercise above. Go to the Ethernet interface on the router and type IP access-group 1 (this number should match the number you used when creating the access-list statements previously). The out keyword tells the router to apply the access list to the packets leaving the Ethernet interface. I reviewed this option with Cisco Technical Assistance Center to see if it had another suggestion. It indicated that this should be viewed as a workaround only until you can use some type of e-mail scanning gateway to block the messages without having to build the granular access lists you may end up with before the current virus/worms have run their course. What I’ve shown you is an option to consider until you can get an easier-to-maintain solution in place.