ISP Blocking Service - Viruses

[INIX]

Hello,
Sorry if this is the wrong place for this topic but I thought it was appropriate for business related.

Scenario: Our shop has two 2 ISP lines - 1. T1 2. DSL
The T1 is used for the office computers and tech benches and the DSL is used for the customer pcs on the benches.

The DSL service keeps getting blocked due to customer computers being hooked up to their service infected. Obviously we are a pc repair shop and have virus infected computers coming in non-stop. Our technicians boot the PC and plug in the network cable and download their combofix and malwarebytes updates and are instructed to disconnect after. Sometimes they remember, sometimes they dont. We then have to call the ISP and tell them the virus has been removed and then they unblock us. Takes 15 minutes.

My question is, how can we prevent the DSL service from being blocked?
I was thinking of making a update server and have them get the updates from that PC and run their scans first before connecting to the DSL.

Anyone ran into this issue in their shop?

Second question is do you guys recommend having two ISP's in your shop?
Yes/No how is your network configured?

 

[dbdawn]

Why can't you remove the viruses before hooking up to the network? I always do that. If you connect you're allowing the virus/malware the ability to download more junk onto the computer.

 

[INIX]

Because ComboFix and Malwarebytes need to have their updates to run a proper scan.

 

[dbdawn]

learn to kill and remove the processes manually before hooking up the internet and running Malwarebytes, updates etc..........

just my .02

Because ComboFix and Malwarebytes need to have their updates to run a proper scan.

 

[NYJimbo]

I think thats crazy that you get blocked. I have hooked up hundreds of infected machines even before they are totally clean to all of our lines (T1, DSL, Broadband) with different providers and have never been blocked.

Either they have some stupid hair-trigger response to anything bad going out or they are idiots.

If you really must stay with them you might want to put up a small firewall that will not let connected machines do something like smtp, ftp, pop3, etc.. but still can do port 80 and other important stuff.

Its not hard to do, you might even be able to get a cheap firewall with ports to put onto your existing network. I think Zyxel has some of these if you dont want to build your own.

 

[Blues]

I have seen ISPs block ports for "abuse" and usually quote that it is usually due to virus for the excessive traffic. I don't know what type of blocking your getting and most of those port blocks lead to just having to reconfigure to use an alternate and secured port instead of an open one. I would say try and kill the processes before plugging up to a network also most apps have offline updates so put those on a disc and try and do updates that way too.

 

[sjlplat]

If you really must stay with them you might want to put up a small firewall that will not let connected machines do something like smtp, ftp, pop3, etc.. but still can do port 80 and other important stuff

x2 - Separate your bench systems from the net with a gateway. Drop all packets to and from ports and/or server IPs other than what is necessary for your updates. Enable DNS, HTTP, and maybe FTP. Get a list of the IPs for your updates, and setup a whitelist. Everything else gets dropped.

 

[onetech4all]

Re:

This is stupid. I've never heard of an ISP doing that.
Who provides your DSL service?
Good to know, to keep away from them if this is true.

 

[INIX]

This is stupid. I've never heard of an ISP doing that.
Who provides your DSL service?
Good to know, to keep away from them if this is true.

ISP is Qwest. They put a redirect to call them once blocked. =(
We have 10 technicians and to be honest cant babysit them to ensure all processes are killed before plugging in. (Sad I know) They have been told time and time again to kill all processes and plug in and get out until the machine is clean. We continue to get blocked about once a week.

I thought about the whitelist idea but then the techs cannot use the DSL for other issues ie; proprietary software updates, online videos not playing, ect

 

[NYJimbo]

ISP is Qwest. They put a redirect to call them once blocked. =(
We have 10 technicians and to be honest cant babysit them to ensure all processes are killed before plugging in. (Sad I know) They have been told time and time again to kill all processes and plug in and get out until the machine is clean. We continue to get blocked about once a week.

I thought about the whitelist idea but then the techs cannot use the DSL for other issues ie; proprietary software updates, online videos not playing, ect

I'm sorry but for you this should be a non-issue. If you have 10 techs in the shop you should have already be looking into resolving this annoyance, even though its not your fault. I mean if it happened to me I would have fixed it somehow by the 3rd or 4th time.

Firewall is probably the first thing to do, sure it takes a little reading to get the right setup and may cost you $100+ but it removes this whole thing about calling up Qwest and dealing with their crap.

 

[sjlplat]

I thought about the whitelist idea but then the techs cannot use the DSL for other issues ie; proprietary software updates, online videos not playing, ect

It's rare that a software application needs to update on a non-standard port. Video is pretty standard as well. If you want to maintain wider access, just concentrate on port blocking.

These ports should give you web browsing, telnet, ftp, ssh, vpn, and rtsp capabilities while removing outgoing access to anything else. Since most malware communicates on non-standard ports, your problem should be solved.

21-23 - Allow
53 - Allow
80 - Allow
123 - Allow
137-139 - Allow
443 - Allow
554 - Allow
1723 - Allow
8554 - Allow
7070 - Allow

 

[Alan22]

You can update malwarebytes on a clean computer then burn the rules.ref file to CD (or copy to flash drive) and update the infected system with the latest definitions. This is how I do it as I don't like connecting infected systems to my network if I don't have to.

 

[INIX]

Sorry i should have clarified. I am not the owner of this shop and agree I would have resolved this issue long ago one way or another.

I have asked to assist with the issue but they dont want any help with the network from non-management.

Love learning from others mistakes.

Thanks for all the input!

 

[Alan22]

Sorry i should have clarified. I am not the owner of this shop and agree I would have resolved this issue long ago one way or another.

I have asked to assist with the issue but they dont want any help with the network from non-management.

Love learning from others mistakes.

Thanks for all the input!

WTF? A shop with 10 techs and they don't want any help from non-management? What kind of f'n place is this? Is this a Geek Squad, Staples or something similar?

 

[Appleby]

This is stupid. I've never heard of an ISP doing that.

I've got Suddenlink Cable (formerly Cox) at my home office and a mom & pop company DSL connection at my office and I've never heard of this. Most of my customers are on Suddenlink or AT&T DSL and I've never had a customer blocked by their ISP for having viruses. This is amazing to me. If this happened down here, most of my customers wouldn't have internet access as badly as their machines are infected by the time I get them!

 

[dbdawn]

It happens in the town where I work, especially with small businesses. Depending on the severity of the malware coming through they will block anything from outgoing email to internet access until some IT guy looks at their systems and fixes the problems.

 

[PcTek9]

a simple solution to this is pvlan the customers pc's, this way they can't infect each other, and one customers pc winds up erasing data on the others, also they can't propagate out to the internet. Let only one pvlan be promiscuous mode and let that one be on a linux server ext3 partition with a perl script that updates the latest antivirus tools, antispyware tools, and definitions. I put my pvlans in a lab group, there is of course accounting, research, and office management. You should really research this.

 

[SoHo.Integration]

check out Untangle

www . untangle . com

I know it blocks incoming, but it should also block outgoing viruses.

 

[sjlplat]

check out Untangle

www . untangle . com

I know it blocks incoming, but it should also block outgoing viruses.

This looks interesting. I've never seen it before. Might be something to consider for client systems.

 

[ebm]

I have a friend who works for Comcast and he's advised me this is something they're looking to do in the future. I think it makes sense as it'll allow them to reduce the spread of botnets and crimeware. Botnets as you all know are known for massive amounts of spam etc...so cutting those connections until the machine is cleaned up makes sense. Like it or don't like it, it appears to be something we'll start seeing more of the in the not too distant future.