Stop a machine connecting to network

       Hi Sharath  
               I offer Symantec Corporate edition for your network environment. Otherwise you will need a script which can collaborate with antivirus to get virus found variable and take action, which is hard to achieve in my opinion. Even you disable network card remotely, you wont be able to enable it back remotely and client will loose even domain join ability and etc.

Regards

I just need to disable the machine from being accessd.Later a engineer will to to site clear the virus then reconnect to domain.

Is it possible with a tool or script.

HI Bsharath
You can do the following:
1. Disable the computers account.
2. Restrict its MAC address from getting a DHCP address (if DHCP). Or is a static address use IPSec in GPO to block it from talking to all domain machines.
Cheers
Stu

Any way a script can do just by specifing the ip or machine name

If i disable the computer on ADS.What will happen?

Disabling the computer will stop from having machine access to your domain.
Not sure what you can do with a script - but you would have to connect from another machine with is bad as the virus may spread.
If you can't do the above, get the user to turn the machine off or remove the cable from the back.
Cheers
Stu

You'll effectively lock it out of the domain and it won't be able to login xcept locally, however, if the virus uses new windows exploits, or exploits you haven't patched yet, it will still be able to spread, but it won't be able to abuse the computer account in the domain :)

          Hi Experts
                *How will the pc determine if there is a virus or not? Most likely by an antivirus. This is the information. We are OK here
              *And our action in case of virus. There are many ways. Stopping netlogon network services, RPC or ways you mention like DHCP lease mac and etc. This is not the problem
             *The problem is, how will this process start automatically? By a script. How will the script know if virus exists or not? By an info from antivirus which can be sat a visual basic variable. So we have to synchronize between antivirus and script.

Regards

For the time being can i have a way to only disable the network adapter.

Reason for me very particular is.

When i find a machine with virus my antivirus software send me a mail with the alert.
Then i should have a engineer sent to the user for action.This may take some time say 1 hrs to go to the location or may be more if we are on a holiday.
If i get a mail when i am on leave.I can just isolate the machine by disabling the adapter send send a mail to the engineer on the next shift to take care on the virus.

THX
Sharath

The DevCon command-line utility functions as an alternative to Device Manager
http://support.microsoft.com/kb/311272/

Don know how many different network cards you have in your environment, but this might take some tweaking....

Or, simply use Computer Management, and connect to the remote computer, and disable the NIC.....

or...

psexec \\remotepc cmd
then once in the remote shell....
devcon disable =net pci\ven*

devcon would need to be in the system32 directory of the target machine....

But

C:\Pstool>psexec \\dev-chen-pc2149 c:\devcon disable =net pci\ven*

PsExec v1.63 - Execute processes remotely
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start c:\devcon on dev-chen-pc2149:
The system cannot find the file specified.

cant we route the devon to be found from the machine we are running the psexec

You can use the -c option.....I just never use it for some reason...  :)

-c         Copy the specified program to the remote system fo
           execution. If you omit this option the application

C:\Pstool>psexec \\dev-chen-pc2149 -c c:\devcon disable =net pci\ven*

Might need to put devcon in your system32 folder....