Hi
All,
Sasser seems to be
alive and well, here is some information that you may find
useful.
--
Based on the information at the Symantec link:
-
Blocking destination tcp ports 5554 and 9996 at the routers will stop the
payload being transferred across network segments. (5554 appears to be the
content transfer channel (FTP), 9996 is the remote shell used to run commands on
a host).
- Deploying an IPSec policy with filter actions for Block on port
5554 and 9996 can be used to block the transfer of the payload to or from
individual hosts. Blocking inbound 445 is also possible, but may cause problems
depending on your specific requirements re File and Print sharing on clients. NB
This is a technique to limit the spread of the virus, not to mitigate the
vulnerability.
--
Group Policy deployment of the removal tool has not
been tested to my knowledge, but:
- When assigned to a computer, the package
is executed using a Local System logon, so shouldn't encounter any permissions
issues.
- The cleanup tool fails if the MS04-011 hotfix is not installed.
- Group Policy does not guarantee an order of completion for assigned
packages.
- If the package runs unsuccessfully, it may not be run again by
the software deployment engine; instead, consider using MSI to get the cleanup
tool onto the workstations and a computer startup script to execute the
tool.
- Our typical suggestion is to install MS04-011, reboot, then run the
cleanup tool; GP software deployment may not be able to accomplish this in a
single step.