"How come my machines got infected even though I had the antivirus installed?"
Is a question we hear all too often and is usually either a missed detection of a new threat (not yet in the definitions) or most likely due to "bad" system administration.
Unfortunately these days installing a firewall at the internet connection and antivirus software on the machines is just not enough, and you would be mistaken to believe you are protected. Here is a short, non exhaustive list of some easy steps that generally needs to be done to greatly reduce the possibility of threat outbreaks and attacks.
1/ Operating system updates
Surprisingly, the importance of keeping the systems up to date with security patches is often under estimated and is overlooked until an incident occurs that could have been prevented simply by updating the systems.
In my opinion, any network over 30 machines should have a Windows System Update Services (WSUS) server and regularly (monthly or more) update all the machines on the network.
WSUS offer the possibility to test all the updates for potential incompatibilities on your network if needed. And while this understandably adds extra work for the Administrator, it may save you from a week end of running virus scans in safe mode on all your machines, or worse, loss or theft of sensitive data.
2/ Antivirus software loses most of its effectiveness without up-to-date definitions
It is important to audit virus definitions updates on your network. make sure all your AV clients report to the management servers, and that reports are regularly run and discrepancies investigated. Do not hesitate to contact AV support if you are not able to figure out why definitions are not updated by yourself and do not let it drag on longer than necessary.
Yes, Antivirus software needs maintenance and monitoring.
3/ Disable Autorun/Autoplay feature
Many threat outbreaks happen because an unsuspected employee plugged in a USB Thumb stick that happened to be infected, although this could have been simply avoided by disabling autorun in Windows.
I have personally never heard of an occurrence where this feature was needed in an enterprise network, and is potentially a gateway from threats to go through. It will also prevent many threat that drop autorun.inf files on shared drives from propagating.
The good news is this is really easy to fix by creating a GPO, here is microsoft KB article for it :
4/ "Run as..."
It is generally not a good idea to log on to systems with high privilege accounts like Domain Administrators. And it is a really bad one when you suspect said systems might be infected, depending on the threat this could effectively give it access with admin privileges to all other machines on the network.
It is much safe to log on as local administrators or even better, normal users and use the very useful "Run as.." command when needed.
Of course as a general rule, do not give administrator rights to users in your company unless it is necessary.
5/ Password Policies
Users don't like having to remember their complex passwords, they like it even less when they have to change it every 3 months and they can't reuse the last one.
While that may be true initially, people get used to it, and yes it may increase the amount of calls to the helpdesk but it also has too many benefits on the security side to list and to be overlooked.
I have seen more people than I'd like to believe who have installed a SEP Manager and then contacted us because the deployment tool would not accept and Administrator account with a blank passwords.
Antivirus software does not protect from everything, and good administration and maintenance is needed to help make your network as secure as possible.
This is not an exhaustive list by any means and is not intended as such, I would suggest reading on System Hardening / PKI and smart card authentication as well as User Education depending on how sensitive is your environment.
Following those easy steps would help prevent a large amount of virus calls received by support and I am sure, unnecessary loss of productivity for the companies.