Clear vulnerable LAN viruses

Recently, jelly has discovered that several computers in the LAN are infected with viruses and are spreading over the Intranet. These viruses will not only infect machines on the Intranet, but also spread to the Internet, infect machines on the Internet, and the network bandwidth will also be heavily occupied by these viruses, as a result, LAN users cannot access the Internet to work normally. It is difficult to clear these viruses in a short period of time. Therefore, the best practice is to first control the virus within a certain range (such as a network segment) and prevent it from spreading, then, clear the virus. So how can we control the virus in a certain range? With ISA 2004, you can easily achieve this.

All machines in the LAN managed by jelly access the Internet through the ISA 2004 server, and these machines are in the "192.168.1.x" network segment. Once a computer is infected with viruses, the network administrator can immediately use the ISA 2004 access rules to control the viruses in the "192.168.1.x" CIDR Block and stop spreading them out. Finally, they can scan and kill viruses in the LAN. This prevents viruses from occupying too much network bandwidth and affecting the normal internet access of other machines.

1. Identify viruses

To control the virus within a certain range, you must first find the IP address of the machine infected with the virus. If the LAN is not large and the IP address (static IP address) is allocated manually, the network administrator can quickly find the IP address of the infected machine.

For an office LAN that uses DHCP servers to dynamically allocate IP addresses, it is not easy to quickly find the IP addresses of infected machines because the IP addresses are variable. Jelly intends to use the log query function provided by ISA 2004 to find the IP addresses of these machines.

1. Create a filter

In the ISA 2004 Console window, click "monitoring" in the left column, and then click "log" in the monitoring box on the right to switch to the Log tab. Here, jelly will edit the filter based on the characteristics of the virus to quickly filter out the machines infected with the virus.

Jelly finds that machines infected with viruses in the network are constantly connected to ports 137 and 445 of other machines on the Internet, sending a large number of packets, occupying a large amount of network bandwidth. Now, you can create a filter with the target ports 137 and 445 to filter out these virus machines and find the IP addresses.

Click the "Edit filter" link on the "log" tab to bring up the "Edit filter" dialog box (). In the "filter by" drop-down list, select "Target Port ", select "equal" in the "condition" box, enter "137" in the "value" column, and click "add to list" to create a filter with the target port 137.

The method for creating a filter with the target port 445 is the same. You only need to enter "445" in the "value" column.

2. Search for poisoned machines

After the two filters are created, you can filter the virus machines. On the "log" tab, click the "Start search" link. After a while, the machines infected with viruses in the LAN will be listed and their IP addresses will be quickly located. Jelly found that three machines on the LAN, 192.168.1.12, 192.168.1.15, and 192.168.1.45, were infected with viruses, and sent a large number of illegal packets to ports 137 and 445 of the target machines on the LAN or the Internet.

Ii. prevent viruses from spreading

After finding out the IP addresses of infected machines, you can use access rules to prohibit them from accessing the internet, and control the scope of virus infection and transmission in this segment to avoid excessive occupation of network bandwidth.

1. Create a computer set

In the ISA 2004 Console window, click the "firewall policy" option in the left column, switch to the "Network object" tab in the right box, and click "New> Computer set ", the "create computer set rule element" dialog box is displayed. In the name column, enter "virus Machine", add computers, and add the three machines 192.168.1.12, 192.168.1.15, and 192.168.1.45 to the list box one by one, click "OK" to create the computer set of "virus host.

2. Modify access rules

Right-click the "all open" access rule in the right-side frame and select "properties" to go to The Properties dialog box and switch to the "from" tab. Click the "add" button in the "exception" box, add the "virus Machine" item in the computer set to the "exception" list box, and click "OK. Finally, select the "all open" rule in the box on the right of the firewall policy, and click the "application" button above. Now, these machines are prohibited from accessing the internet, and the communication scope is limited to this segment. viruses cannot spread over the Internet, and the network bandwidth will not be greatly occupied.

After the jelly prompt is installed with ISA 2004, the Intranet machine is not allowed to access the Internet by default. You must create an access rule that allows Intranet users to access the Internet. This rule is the "all open" access rule.

3. aftercare

Next, you can use anti-virus software to thoroughly scan and kill viruses in infected machines. After cleaning, you can delete the computer set of virus machines in the "exception" box, finally, select the "all open" rule in the box on the right of the firewall policy, and click the "application" button above. In this way, after the virus is cleared, these machines can access the Internet normally.

3. Fight against viruses"

Jelly uses ISA 2004 to control the virus in the office network, instead of spreading it. Next we need to scan and kill the virus on everyone's machine. However, because they do not have the permission to access the Internet, they are unable to upgrade the antivirus software virus database online. Thus, they are blocked in virus detection and removal. He came up with a good way to upgrade anti-virus software through a computer in the LAN ......

First, you must have a computer (which can be called a "host") that can access the Internet and update the virus database in time. After the virus database is updated, the host can be used as the virus database in the LAN to upgrade the server (the host is the jelly computer ). Of course, the premise is that the anti-virus software used must provide this function.

To give everyone more options, jelly has selected several common anti-virus software that supports updates to the virus repository LAN. Of course, the setting varies depending on the software. Let's see how jelly is set.

Kv2004

Kv2004 is implemented by sharing folders that contain updated virus database information to other clients. The update information is contained in the update folder under the kv2004 installation directory (for example, "C: \ kv2004 \ Update"). Therefore, you must first set this folder to share.

Next, run kv2004 on the client, click "Tools> options" in the menu bar, switch to the "Upgrade" tab, and select the "Lan upgrade" option, point the update path to the shared update folder on the host. Because the virus database often needs to be updated, we can select the "regular upgrade" option, select an appropriate upgrade frequency, and click "OK" (figure 1 ).

Figure 1

Now, you only need to upgrade the kv2004 virus database on your computer, and the client can connect to the updated update folder on the computer at the specified time, update the virus database automatically.

Kingsoft drug overlord 6

Kingsoft drug overlord has powerful functions to upgrade the virus database in the LAN, so it is more comprehensive for users. It provides two methods for upgrading the LAN.

1. Local upgrade

This method is similar to kv2004, mainly by selecting the update directory on the host. First, set the update folder under the Kingsoft drug overlord installation directory on the host to share, and then run Kingsoft drug overlord on the client. Click the "online upgrade" button on the main interface, select the upgrade method as "upgrade from local or local area network", and click "Next" to go to the "select path" window. Select the shared update folder on the host to start the upgrade.

2. Intra-network synchronization upgrade

If the synchronous upgrade mode is adopted, after jelly updates the virus database on the host, the customer will automatically connect to the host and receive the virus database data sent from the host, so as to synchronize and upgrade the virus database.

Click Tools> comprehensive settings on the menu bar of Kingsoft drug overlord to open the comprehensive Settings dialog box. On the left side of the dialog box, select "system Settings> Local Area Network Synchronization upgrade", and then select "enable local network synchronization upgrade" in the window on the right, select "allow the local machine to receive and send the upgraded data", so that the local machine can not only receive the virus database data from the host, you can also provide the upgraded virus database data to other machines for upgrade. Click OK.

Symantec AntiVirus 8.1 Enterprise Edition

The anti-virus software is divided into two versions: server and client. To update the virus database in the LAN, first install the server version on the computer that can access the Internet of jelly. The server version is upgraded in normal mode. To keep the software running on the server, you can start setting the client.

Install a client for Symantec AntiVirus 8.1 Enterprise Edition on a computer that cannot access the InternetProgramIn the "Network installation type" Wizard window, select "Accept Management". In this way, the computer that has installed the client program will be managed by the server program, and automatically upgrade the virus database. Click "Next" and click "Browse" in the "Select Server" window to go to the "Select Server" dialog box. If you do not know which computer the server version of anti-virus software is installed on, you can click "Search for computer" to enable the client to automatically search. If the server is running properly, the client automatically obtains the name of the computer of the other party.

After the configuration is complete, the server automatically takes over the client's management right and configures the client automatically. By sharing the virus database with the client, the client can automatically upgrade the virus database, all of this requires no manual intervention.

Kaspersky

Kaspersky is a popular anti-virus software recently. It feels pretty good after a trial of jelly. In particular, it also supports upgrades of the virus library in the LAN, therefore, Jelly recommends it to strawberry and others as alternative software.

First, on the official website of Kaspersky (compressed file format), decompress it to a folder on the host (such as "D: \ down"), and set the folder to share.

Switch to the "Settings" tab in the main window of Kaspersky, and click the "configuration Update" link on the left side of the tab to open the "update settings" dialog box. Kaspersky provides three update Methods for users. We need to update through the LAN, so we should select "from local folder ", then select the shared folder (for example, \ James \ down) where the virus database file on the host is located.

If you want the client to automatically update the virus database, you can select the "Enable automatic update" option and set the update frequency (figure 2 ). Finally, click OK to complete the client settings.

Figure 2

Rising Network 2004

Rising provides a network version for users in the LAN. This version can be divided into server and client. server programs are installed on the host, and client programs are installed on other clients. After the virus database on the host is upgraded, the server program sends an update request to each client program, and the client automatically performs the upgrade without user intervention.

After explaining the various anti-virus software Intranet upgrade methods in one breath, jelly will be waiting for the cainiao to choose. Although "green radish has their own love", but jelly does not allow each of them to choose an anti-virus software, otherwise the jelly "host" in order to allow them to upgrade, it becomes a "Concentration Camp" for anti-virus software ......