CSA fighting mass mail, BUT "concurrent query limit exceeded"!

fkhan6_wb · ‎04-11-2007

CSA did not prevent a machine from sending SMTP traffic to thousands of internal machines despite the fact that the user terminated the action.

Does "concurrent query limit exceeded" means that CSA was overwhelmed and just could not handle the volume?

CSA event:

Potential worm propagation: The process 'C:\WINNT\ServicePackFiles\mmwnd.exe' (as user) has read downloaded content (file C:\WINNT\ServicePackFiles\mmwnd.exe) and attempted to access an email or network related resource (making a Network Email connection, 6//25).This is considered suspect. The user chose 'Terminate (concurrent query limit exceeded)'.

MMWND.EXE

http://virusinfo.prevx.com/viruscenter.asp?GRP=4852600017

First detected on Apr 11

15:28 MMWND.EXE %WINDIR%\

SERVICEPACKFILES\

Win32.Malware.gen: Deletes programs. Invokes dll components. Communicates with web sites using httpout protocols. Has mass mail capabilities.

tsteger1 · ‎04-12-2007

That sounds like a SQL error. Are you running MSDE? If so, how many hosts are you supporting on what version of CSA?

You can use global event correlation to quarantine the traffic/files so the host would have no other effect than making lots of noise.

Tom

fkhan6_wb · ‎04-12-2007

No, we are using a MS SQL server. Based on the CSA MC architecture and the number of hosts, we are in a good shape.

The global event correlation rule is enabled. I might need to lower the threshold.

I am looking for the needed file access control rule which @dynamically quarantine worm related files. Is it a default rule?

(Note: We have other mechanisms to prevent this type of activities, but of course we would the appreciate the additional layer of CSA)

tsteger1 · ‎04-12-2007

What version of CSA?

fkhan6_wb · ‎04-13-2007

Hi Tom,

It's 4.0.3 736

Thanks

Faisal

tsteger1 · ‎04-16-2007

Hi Faisal, the default action of the Network Worm protection rule to dynamically quarantine suspicious files.

Also, when the rule request exceeds the maximum number of requests, you get:

"The user chose 'Terminate (concurrent query limit exceeded)'" And the default action is "terminate".

There is usually a corresponding event:

"Error The rule request has been submitted to the Rule Engine the maximum number of times. This request is no longer blockable, and the default action will be taken."

Maybe a better alert message would be "the agent chose terminate"

Tom

fkhan6_wb · ‎04-16-2007

Thanks Tom, great explanition.

Yes, that would be a better message.

In the logs, the default action for every time was "terminate." However, we still saw heavy tcp/25 traffic from that host through internal network IDS and networkflow.

My guess is that CSA can stop it until it exceeds CSA's limit.

Are there any supporting rules that help the network worm rule?

Is that rule more granular in 5.2? do we have more control.

Thanks

Faisal

tsteger1 · ‎04-16-2007

Global Event Correlation should keep track of the suspicious file and how many agents report on it. It should quarantine the file once the threshold is reached.

I don't know if there is a way you can view files that have been added to the @dynamic list of quarantined files.

If the threshold is set too high or a user chooses "Allow", that can enable it to seek other hosts.

Their CSA rules should block any attempt to infect since it would require them to accept a connection as a server and by default this is denied.

I created an additional rule in 4.0.3 that doesn't allow any host to act as a client or server on port 25 as an added layer of protection (our email doesn't use this port).

I'm not sure what the limititions are for 4.0. but we are moving to 5.2 as soon as we can. 5.2 is more granular and should provide more control and better performance.

Tom