Recent large-scale and rapidly evolving worm epidemics have led to interest in automated defensive measures against self-propagating network worms. We present models of network worm propagation and defenses that permit us to compare the effectiveness of "passive" measures, attempting to block or slow down a worm, with "active" measures, that attempt to proactively patch hosts or remove infections. We extend relatively simple deterministic epidemic models to include connectivity of the underlying infrastructure, thus permitting us to model quarantining defenses deployed either in customer networks or towards the core of the Internet. We compare defensive strategies in terms of their effectiveness in preventing worm infections and find that with sufficient deployment, content based quarantining defenses are more effective than the counter-worms we consider. For less ideal deployment or blocking based on addresses, a counter-worm can be more effective if released quickly and aggressively enough. However, active measures (such as counter-worms) also have other technical issues, including causing additional network traffic and increases risk of failures, that need to be considered.