W32.Spybot.CF virus restriction through NBAR or QOS

Unanswered Question
Dec 5th, 2008


We are currently facing virus spread in one of our client network the VIRUS is effecting the ATMs and POS machines where the OS is customized and antivirus cannot be installed once we clean the virus from one machine it cames back throug other source we have restricted ports but they change once you restrict one port it send from ohter ports the only solution I see is through NBAR and QOS if any advise much appericiated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joseph W. Doherty Fri, 12/05/2008 - 05:37

Perhaps your two choices are: if you can recognize valid traffic, forward it and block eveything else (espeically since the hosts have dedicated functions); or identify the virus and block just it.

QoS commands would be one way to both identify traffic and pass it or block it. NBAR the specific feature that might be used for identification.

If you can identify "good" traffic, you pass it and block all else, or perhaps very much rate limit the unknown traffic. The latter would keep a virus from flooding your ATMs and POS, but this wouldn't be good if the virus can infect them.

Since you mention the virus uses dynamic ports, to identify it, you might check whether Cisco has a NBAR PDLM to do so. If not, NBAR can be configured for some packet inspection, but it might only be when using the HTTP protocol.

If you drop a 6500 with sup32-PISA in line, I recall it's FPM feature might allow you to better see and then drop virus packets.

This link, http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/BranchQoS.html#wp89756, provides some more information about using NBAR to handle various worms.

Considering the likely importance of this issue to you, it something you might want to retain additional consultation for.


This Discussion