We have actually started to implement this as well. We have 3 part
custom rules that look for things like limewire, kazaa, emule, ares,
etc. The 3 parts are:

Registry Key
Program Executable
Essential File

We do this so that even if the user renames 'limewire.exe' to
'notlimewire.exe' we can still detect another limewire file that can't
be renamed. Now granted that doesn't stop a user from grabbing an OSS
P2P software and hacking the code to get around this, but then IPS
rules can grab that.

Right now we have one rule running in Audit mode and it seems to work
well. After some more testing this summer it is going to be one of the
things implemented during the Fall semester.

--Jeremy


On Thu, May 7, 2009 at 15:13, Stanclift, Michael
<[log in to unmask]> wrote:
> We're talking about using writing some custom rules in CCA to scan systems and detect common P2P software, starting next semester, and denying access to the network for those who have it installed. Is anyone else doing this? Is there a better way to go about this then custom rules, some kind of plug in or built in feature I'm missing?
>
> We generally block P2P traffic out of our network, but we're going to start getting more aggressive in trying to "educate" users that using it and trading files is not only illegal (at least, what they're doing with it), it is a great way to infect your computer.
>
>
> Michael Stanclift
> Network Analyst
> Rockhurst University
>
> http://help.rockhurst.edu
> (816) 501-4231