Re: W32.Spybot.CF virus restriction through NBAR or QOS

faisal_ghaus · ‎12-05-2008

Hi

We are currently facing virus spread in one of our client network the VIRUS is effecting the ATMs and POS machines where the OS is customized and antivirus cannot be installed once we clean the virus from one machine it cames back throug other source we have restricted ports but they change once you restrict one port it send from ohter ports the only solution I see is through NBAR and QOS if any advise much appericiated

Joseph W. Doherty · ‎12-05-2008

Perhaps your two choices are: if you can recognize valid traffic, forward it and block eveything else (espeically since the hosts have dedicated functions); or identify the virus and block just it.

QoS commands would be one way to both identify traffic and pass it or block it. NBAR the specific feature that might be used for identification.

If you can identify "good" traffic, you pass it and block all else, or perhaps very much rate limit the unknown traffic. The latter would keep a virus from flooding your ATMs and POS, but this wouldn't be good if the virus can infect them.

Since you mention the virus uses dynamic ports, to identify it, you might check whether Cisco has a NBAR PDLM to do so. If not, NBAR can be configured for some packet inspection, but it might only be when using the HTTP protocol.

If you drop a 6500 with sup32-PISA in line, I recall it's FPM feature might allow you to better see and then drop virus packets.

This link, http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/BranchQoS.html#wp89756, provides some more information about using NBAR to handle various worms.

Considering the likely importance of this issue to you, it something you might want to retain additional consultation for.