Endpoint Protection

 View Only
Back to Library

Antivirus software and the illusion of protection. 

Feb 15, 2010 02:03 PM

 "How come my machines got infected even though I had the antivirus installed?"

Is a question we hear all too often and is usually either a missed detection of a new threat (not yet in the definitions) or most likely due to "bad" system administration.

Unfortunately these days installing a firewall at the internet connection and antivirus software on the machines is just not enough, and you would be mistaken to believe you are protected. Here is a short, non exhaustive list of some easy steps that generally needs to be done to greatly reduce the possibility of threat outbreaks and attacks.

1/ Operating system updates

Surprisingly, the importance of keeping the systems up to date with security patches is often under estimated and is overlooked until an incident occurs that could have been prevented simply by updating the systems.

In my opinion, any network over 30 machines should have a Windows System Update Services (WSUS) server and regularly (monthly or more) update all the machines on the network.
WSUS offer the possibility to test all the updates for potential incompatibilities on your network if needed. And while this understandably adds extra work for the Administrator, it may save you from a week end of running virus scans in safe mode on all your machines, or worse, loss or theft of sensitive data.

2/ Antivirus software loses most of its effectiveness without up-to-date definitions

It is important to audit virus definitions updates on your network. make sure all your AV clients report to the management servers, and that reports are regularly run and discrepancies investigated. Do not hesitate to contact AV support if you are not able to figure out why definitions are not updated by yourself and do not let it drag on longer than necessary.

Yes, Antivirus software needs maintenance and monitoring.

3/ Disable Autorun/Autoplay feature

Many threat outbreaks happen because an unsuspected employee plugged in a USB Thumb stick that happened to be infected, although this could have been simply avoided by disabling autorun in Windows.

 I have personally never heard of an occurrence where this feature was needed in an enterprise network, and is potentially a gateway from threats to go through. It will also prevent many threat that drop autorun.inf files on shared drives from propagating.

The good news is this is really easy to fix by creating a GPO, here is microsoft KB article for it :
http://support.microsoft.com/kb/967715

4/ "Run as..."

It is generally not a good idea to log on to systems with high privilege accounts like Domain Administrators. And it is a really bad one when you suspect said systems might be infected, depending on the threat this could effectively give it access with admin privileges to all other machines on the network.
It is much safe to log on as local administrators or even better, normal users and use the very useful "Run as.." command when needed.

Of course as a general rule, do not give administrator rights to users in your company unless it is necessary.

5/ Password Policies

Users don't like having to remember their complex passwords, they like it even less when they have to change it every 3 months and they can't reuse the last one.
While that may be true initially, people get used to it, and yes it may increase the amount of calls to the helpdesk but it also has too many benefits on the security side to list and to be overlooked.

I have seen more people than I'd like to believe who have installed a SEP Manager and then contacted us because the deployment tool would not accept and Administrator account with a blank passwords.

Antivirus software does not protect from everything, and good administration and maintenance is needed to help make your network as secure as possible.

--

This is not an exhaustive list by any means and is not intended as such, I would suggest reading on System Hardening  / PKI and smart card authentication as well as User Education depending on how sensitive is your environment.

Following those easy steps would help prevent a large amount of virus calls received by support and I am sure, unnecessary loss of productivity for the companies.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jan 09, 2011 10:05 PM

i just wanted to say thanks for this great article it helped me.

pg23db
May 04, 2010 12:41 PM

Hello Jeremy,

Wonderful work, actually I have been trying to convince user community - including Helpdesk,  for couple of years.   Widespread of infections has reduced but will take some time here due to the environment.

Another point I would like to add is do following on all the usb drives
 1. Create a read-only directory in the root - autorun.inf
 2. Create a file autorun.inf in the folder created above with any text line, and mark this file read-only.

Sincerely,

Migration User
Apr 29, 2010 10:26 PM

True, there are many things to consider when fighting viruses. But many good points was brought up and even missed the autorun disablement. Good article.

Migration User
Apr 28, 2010 11:57 AM

The number one thing, of course, is the user itself.  Nothing protects a computer if a user OPENS THE DOOR to a threat. :D

riva11
Apr 05, 2010 02:51 PM


I agree about your article, these suggestions are really the basic protection against virus. Another point could be related to the user, in fact we have to teach users about avoid to click on suspect links , use a not safe USB memory ( ie. an USB key coming from a private pc not protected by antivirus) , etc.

But this is a long story ...

regards,
Paolo

Migration User
Mar 04, 2010 05:47 AM

its a very good artical.
thanks Jeremy.L and angahsin

Migration User
Feb 27, 2010 01:16 PM

Good article.

I usually explain using the following analogy.

1. A PC today is like a house we stay which is under constant threats from thieves, flood, etc.

2. Anti-virus in your computer is like employing security guards to guard your house against thieves and unwanted guests.  They need to be constantly trained (software update/upgrade) and informed (AV signature updates) to identify new baddies and not to be fooled by them. Employing the type of skill is like installing from a basic pure AV right right up to a sophisticated Internet Security Pro software.

3. Patching OS like Windows XP, Windows 7, etc  is like sealing up the holes surfacing around your house. Rats, worms or flood waters can enter the house unless it is sealed. The guard is not tasked or skilled to do that. As the house ages, holes are sure to appear. So, constant finding of these holes and sealing them is necessary to keep the house safe.

So, we need to ensure that both are well taken care of. 

@angahsin
AsiaPac Solutions

Migration User
Feb 23, 2010 03:57 PM

 Good one !!

Migration User
Feb 18, 2010 06:34 AM

Nice article ,Every one should read it. 

Migration User
Feb 18, 2010 05:30 AM

   Did you disable the autorun? that's the main propagation means for Sality if I remember right, not using domain admin accounts on infected machines is important as well as scanning your fileservers.

   It is also possible that there are some files that are not being detected.

If you are having issues getting rid of a virus, please contact support so we can assist you. 

Migration User
Feb 18, 2010 03:43 AM

Hi Jeremy,

Mansoor is correct even though we had patched all the Servers, Machines, implemented 31 Days Password Policy etc. This W32.Sality.AE is the major thret for us. Suggest something.

Regards.
Anil

Migration User
Feb 17, 2010 11:34 PM

Hey Jeremy,

Great Article and need all too vote this.....

One query is what will be the remedies or you suggest if our network is patched/updated with latest definition but still some systems get infected with W32.Sality.AE.

SEP able to detect this virus but what's happening is most of the time this virus will remove all SEP components, only we can view the interface of SEP.

So in this case what we can do?


Thanks

Mansoor

Related Entries and Links

No Related Resource entered.