network monitor to detect malware?

If a PC is infected by a virus, it is sometimes difficult to know or detect
with virus scanner because most virus can cloak themselves. But they usually
have some sort of LAN or internet traffic, either in an attempt to infect
other PCs on the LAN, or to download "payload update", or to send off stuff
collected (bank account info, ...).

So, is there a network monitor specifically designed to detect virus
activity on a home LAN that I can run on a dedicated PC?

On 12/28/2009 05:42 PM, John wrote:actually i'm also in search of such tool....

On 12/28/2009 05:42 PM, John wrote:
actually i'm also in search of such tool......

http://www.smoothwall.org/about/express-feature-list/ ?

http://www.smoothwall.org/about/express-feature-list/ ?

| If a PC is infected by a virus, it is sometimes difficult to know or detect|

| If a PC is infected by a virus, it is sometimes difficult to know or detect
| with virus scanner because most virus can cloak themselves. But they usually
| have some sort of LAN or internet traffic, either in an attempt to infect
| other PCs on the LAN, or to download "payload update", or to send off stuff
| collected (bank account info, ...).

| So, is there a network monitor specifically designed to detect virus
| activity on a home LAN that I can run on a dedicated PC?


Yes... and No...

Most malware does not "cloak themselves", per se.  For the most part the vast majorty that
are not detected by a given anti virus are just not yet recognized via direct or heuristic
detections.  However some RootKit trojans such as TDSS (aka; TDL3) are able to cloak/hide
form most anti virus applications.

FireWall appliances *may* or may not be able to act as a network monitor.  It would depend
on the software on the appliance.  Beacuse it is an appliance outside the operating
envirment this cloaking becomes a moot point.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Such a tool is called a packet sniffer.

Such a tool is called a packet sniffer. It resides on the firewall
machine or is part of the main path at the WAN/LAN interface or on a
machine that can see all the traffic on the LAN. One such tool is
called Snort, http://www.snort.org. The tool is designed to detect
packets that are characteristic of intrusion attempts from outside but
it can be used for outbound packets as well. It all depends on the
rule sets. The sniffer inspects all traffic passing between the
firewall and the LAN and alerts when the rules are triggered. The
drawback is that the characteristic activity must be known in order
for it to trigger, just as the characteristics of the malware binaries
must be known in order to detect their presence. The intent is to
detect intrusion before it happens, an Intrusion Detection System
(IDS), not a extrusion detection since this only occurs AFTER a system
has been compromised and presumably this would only occur when malware
detection has failed. Using white lists and blacklists one can alert
on packets that do not fall within the "approved" parameters.

The philosophy is defense in depth, combining system updates and
maintenance and anti-virus measures with firewall protection and
traffic analysis to detect assaults as they occur. This is usually
more effort than most people are willing to perform to protect their
home computers.