How can stop and drop Auto update

loveman · August 23, 2016, 4:22pm

Hello everyone
In my network i need to drop and stop all update of Anti virus like Kaspersky, Norton, Node 32 etc
How can that?
Regards

loveman · August 23, 2016, 7:16pm

Any help

pe1chl · August 23, 2016, 8:14pm

Up! Up! Bump! Bump! Bump!

IntrusDave · August 23, 2016, 9:04pm

uninstall it?

or block the update servers in the filter

loveman · August 23, 2016, 9:40pm

How can drop by filter rule? Like Kaspersky and Norton

IntrusDave · August 23, 2016, 9:44pm

create a drop rule in the forward chain that drops an address list. Then put all of the hostname of the update servers into the address list.

loveman · August 23, 2016, 10:25pm

In address list contains
Name
Address
Timeout
If i need to add link for update server for example Kaspersky :
Where i add this link? Inside address list
If i write in “address” and apply the show error expect?

pe1chl · August 23, 2016, 10:27pm

Most virus scanners deliver updates via CDN. They don’t want it to be easy to block.

IntrusDave · August 23, 2016, 10:32pm

you need RouterOS 6.36

IntrusDave · August 23, 2016, 10:33pm

That’s the point of the address list using the DNS hostname. it will resolve the IP addresses and block them. At least that’s the theory

loveman · August 23, 2016, 10:35pm

What is the new in version 6.36 in address list?

IntrusDave · August 23, 2016, 10:38pm

the ability to resolve DNS to IP address.
However, in testing, it looks like it will only resolve a single address.

realistically, you are going to have to look up and manually add all of the IP’s yourself.

loveman · August 23, 2016, 10:42pm

Before i posted here
I tested by write link of server update from ip dns static
End apply the link auto change to ip address

pe1chl · August 24, 2016, 7:49am

There is no reason whatsoever to assume that the router will block the same address as the PC will be using to update, when the CDN uses
a pool of addresses from which the DNS returns a rotating subset. That is what they usually do.

loveman · August 24, 2016, 3:42pm

I found all server update of Kaspersky antivirus
Whats the best way to drop it?
Below is the list of Kaspersky Lab servers used for downloading antivirus database updates, new application modules, and patches:
http://dnl-01.geo.kaspersky.com

http://dnl-02.geo.kaspersky.com

http://dnl-03.geo.kaspersky.com

http://dnl-04.geo.kaspersky.com

http://dnl-05.geo.kaspersky.com

http://dnl-06.geo.kaspersky.com

http://dnl-07.geo.kaspersky.com

http://dnl-08.geo.kaspersky.com

http://dnl-09.geo.kaspersky.com

http://dnl-10.geo.kaspersky.com

http://dnl-11.geo.kaspersky.com

http://dnl-12.geo.kaspersky.com

http://dnl-13.geo.kaspersky.com

http://dnl-14.geo.kaspersky.com

http://dnl-15.geo.kaspersky.com

http://dnl-16.geo.kaspersky.com

http://dnl-17.geo.kaspersky.com

http://dnl-18.geo.kaspersky.com

http://dnl-19.geo.kaspersky.com

http://dnl-00.geo.kaspersky.com

pe1chl · August 24, 2016, 5:14pm

make sure you run version 6.36.2
add all those names to an address list named kaspersky (use those URL without the http:// )
block traffic to that address list on your network
hope for the best

loveman · August 24, 2016, 5:20pm

When i added in address list
Going to filter
Add
Chain forward
Advanced
Dst-address-list, here select name of address list?
Action drop
True?

R1CH · August 25, 2016, 4:36pm

This seems like a bad idea waiting to happen. If you deprive clients of updated anti-malware definitions, sooner or later they’re going to get infected with some DDoS blasting trojan or worm that is going to do much more harm to your network. As the updates are delivered over HTTP, consider setting up a caching proxy instead if you need to save bandwidth.