we´re using BM38, and recently the Tumb virus hit us. We were able to
clean most of our workstations (about 700), but some aren´t clean yet and
still try to connect to a specific IP address via FTP (hardcoded in the
virus) to download the virus executable (syshost.exe).
I´m trying to block FTP access to this ip, but as far as I know, it will
not work using BM access rules, because we don´t use the FTP proxy (is
this right?). So, in this case, I tried to configure a filter rule in
IPFILT.NLM, but we use a "deny-all then allow exceptions" filter chain -
so, I can´t put a deny filter to this specific IP blocking FTP, because
the exceptions allow all FTP traffic between intra and public interfaces
and will override the deny filter. Is this right also?
So, what else can I do to block it? I´m kind of a newbie to this stuff,
and any help will be appreciated!