TR Forums

So at work we have a machine employees use that has been getting viruses like clockwork during a specific shift. I would like to get a better idea of exactly when it is happening, so I can track down which user is the cause. Does anyone have any recommendations for software capable of logging web traffic on the machine? I've got a pretty good idea what the employee(s) is(are) doing, but I'd like to prove it.

I tried a bit of searching, but most result sets are clogged with noise from either enterprise security software, or parental control filters.

Can you not simply pull up the IE history?

Buy the full version of MalwareBytes Anti-Malware and install it on the problem box. The logs it generates will ID URL and time, making it easy to ID the perp.

bthylafh wrote:

Can you not simply pull up the IE history?

Nope, the involved party knows enough to nuke the (Firefox) history.

If it were up to me I would just go full madmin and downgrade the default user from admin to normal user (or guest) and wash my hands of the issue, but powers that be want timestamps and hard proof.

Can you use a hardware appliance?

It strikes me you should be able to use Software Restriction Policies to prevent Firefox from running on that box. Force them to use IE and disable the History Erasing.

Computer Configuration > Adminstrative Templates > Windows Components > Internet Explorer > Delete Browsing History > Prevent Deleting Web sites that the User has Visted

- There are many more in that subfolder that would make the life of the perpetrator quite hard.

If this is a Windows 7 box I'd highly recommend AppLocker to disable the use of Firefox, but if you only have XP or Vista then Software Restriction Policies (SRP) should work.

I could put up a hypothetical SRP policy that would work if this idea seems like it might fit the bill.

I normally stay away from IE on non-Vista/7 machines, but I'll try that setting for IE (and uninstall/hide FF)

There's an .MSI version of Firefox available from a third party, and the installer includes .ADM files so you can control the thing with group policy. Maybe it has a setting to disable clearing history.

Yay, another chance to pimp pfSense, Snort, Squidguard, and Lightsquid running on a spare box in your network! You could also get other types of IPS/IDS (IBM Proventia, for example), but pfSense is free and will work exceptionally well for what you're trying to do.

Try it today!

It's also a fun project to do to earn those golden overtime hours!