I need to stop Nimba files being downloaded 1

[garty]

We have McAfee TVD (latest SuperDAT applied) installed on all our servers, including our proxy server (NT4SP6a - Proxy2). We keep getting files downloaded from the internet by some automatic means to the same place on our proxy server. Our virus defense is deleting these files out sucessfully, however I feel that there must be a hole that can be plugged. The virus message reads as follows..

The file C:\InetPub\scripts\TFTP759 is infected with W32/Nimda@MM Virus. The file was successfully deleted.(from {SERVERNAME} IP xxx.xxx.xxx.xxx user {SERVERNAME}\IUSR_{SERVERNAME} running NetShield 4.5 OAS)

The file name TFTP759 varies, but always starts TFTP.

The only patch I can find ffrom Microsoft is for IIS Webservers, but we do not host our own webpage. The files are only downloaded when people are surfing the internet.

Any thoughts?

 

[TheLad]

Don't forget that the Nimda virus can travel in webpages due to IIS servers out on the web not being patched. I would suggest that your proxy server is doing its job because when one of your users inadvertedly goes to an infected page, the proxy server is picking up the virus and disinfecting/deleting it.

May be worth ensuring that your proxy server is not trying to refresh these pages into it's cache as well. -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[garty]

Thanks for the prompt reply TheLad

Yes, it is nice to know that we have the right protection in place to scan these files as they arrive and delete them out.

However, we have the AV set up to email me whenever a virus is detected. I have received about 200 emails this week from the AV. Gets a little anoying. I do not want to turn it off as I will not get the 1 or 2 a day emails telling me of email blocks or virus'.