Need advice: better secure our network

Hemps

Hemps

Honorary Master
Joined
Jan 19, 2009
Messages
11,661
Reaction score
1,631
Location
Slummies
After a recent virus outbreak on our network coming in via flash drive.
I need to re-check our network security software and measures.
What we have:
3 servers:
Windows 2003 Server
ESET nod32
Microsoft security Essentials
Each department restricted via Active Directory to their files etc.

50+ workstations:
Windows XP
ESET nod32

The workstations are on Service pack 3, but not updated on a regular basis, just with the service pack.
I have had good experience at other branches with Autopatcher.
They only have ESET nod32 virus scanner as realtime protection

I would think to give them all a better chance of combating a virus infection:
Upgrade all PC's with Microsoft Updates.
Install Microsoft Security Essentials on each PC alongside Nod.

What would be an ideal way to prevent people from using and bringing in flash drives and external drives?
Disable usb ports?

Nod is supposed to scan all removable media but malware etc still get's through.
 
Well, the first step would be to disable autorun completely on all PCs. There are ways to disable the use of external storage completely, that would also be an option, albeit maybe a bit extreme. Google is your friend
 
Going to disable the autorun feature on each pc.
 
It may be slightly overkill for you but you could try Autorun Eater.

http://www.softpedia.com/progDownload/Autorun-Eater-Download-85585.html

Autorun Eater was born due to increase of malwares using the 'autorun.inf' tactic to infect users unknowingly be it from flash drives, removable hard disks or any other removable storage device. When an infected device is infected with a malware and an 'autorun.inf' file is dropped, the shell menu is normally modified to execute the malware whenever the unsuspecting user double-clicks the infected drive.

Most anti-malware apps out there will almost instantly remove any malware detected but more often than not they leave the 'autorun.inf' file behind. And what if the anti-malware app fails to catch the malware? Here is when Autorun Eater comes in handy.

Autorun Eater will remove any suspicious 'autorun.inf' files even before the user attempts to access the drive. These files are auto-backup'ed in case of false positives.

Note: Some antivirus and antispyware programs flag Autorun Eater as being infected/malware, although the application is perfectly safe and does not pose a threat to your system. This is called a 'false positive'. The term false positive is used when antivirus software wrongly classifies an innocuous ( inoffensive ) file as a virus. The incorrect detection may be due to heuristics or to an incorrect virus signature in a database. [Similar problems can occur with antitrojan or antispyware software.]
Click to expand...
 
PM me, i can help you. Disabling autorun helps, but still doesn't prevent the user from manually executing applications, copying them to their workstations etc.
 
Hemps: did ESET NOD32 detect the flashdrive virus?

Reason I'm asking, is because my office is also in the process of buying an antivirus product that would be used on all the Windows XP machines.
I'm using Avira Personal on my personal PC's and I've never had any issues with flashdrive virusses.

I'd recommend that you let all the PC's join the network Domain, so that you can enforce policies on all the PC's without having to configure each PC individually. That way you should be able to disable like the autorun fairly easily.
I'm not sure if XP Home would be able to join the Domain, because Win7 Home certainly can't.

Disabling the USB ports is just silly, because then you'll have to get PS/2 keyboards & mice for each PC, otherwise the person can simply plug out the keyboard/mouse and insert the external storage device.

If the PC's are on the domain, then you can also prevent the users from installing applications on their PC's by giving them limited permissions.
 
It was the Bugbear virus - infects Olivetti printer drivers which then spew out 500+ pages with junk printed on them.

Have to disable system restore
disconnect from network
boot in safe mode
run combobox, nod, malwarebytes, security essentials
update OS with all latest security downloads
On each PC - there goes the weekend.

for some reason Nod did not pick it up - is set to scan everything.
 
500+ pages.... my god....

I use avast, which is good enough for me... though I'm sure there are some things it wont detect that other av apps will. I think your office staff should be made aware of the risks and potential threats.... prevention is better than cure after all.
 
That same virus will still reside on some users home PCs and other flash drives so yes the work computers with all their shares will probably get infected again.

If the users are on a windows domain you can disable usb via startup script.

This involves setting the permissions for the USB driver files and a registry tweak.
http://support.microsoft.com/kb/823732
 
Howzit Hemps, Not familiar with nod32 , do you have a management console for nod32 ? I know on symantec you can disable usb/cdroms/autorun from management console where the policy which the user is in(dependant on the AV package you create x86 / x64 or Specific restrictions according to your needs ) , there is also a add-on for server 2003 that you can dl where it gives you the option in your GPO's to disable usb/cdrom/autorun
 
On Saturday:



• Combox, Microsoft Security Essentials, Nod updated, Malwarebytes installed on every computer.
• Workstations – rebooted in safe mode with NO network connection – Combox scan run, Nod scan run, Security Essentials scan run.
• Autorun Disabled on all workstations.
• Olivetti printer driver removed from each workstation.

• Servers restarted in safe mode – scans of Nod and Security Essentials run.
• Once server scans where completed – all workstations where restarted once their scans where complete.
• All Microsoft security updates where installed and each pc updated.
• Olivetti printer driver was reinstalled on each machine.
• Security Essentials scan was scheduled on each machine for Sunday 2am.

Fker printed again on Monday morning - BUT, i logged into every pc when I did the above and it did not print to any Olivetti printer when I was there, I'm thinking it's when a user tries to print to any printer.
It can't be in the startup as it would of printed when I was there and the times are varied - when everyone is logged in etc.
 
Hemps said:
Yip , manually on each
Click to expand...

Why don't you use a deployment platform that pushes software & updates etc to each machine and also allows you to lock it down so users cannot install anything or make changes? It allows you to standardise software versions, can have different profiles for different departments etc etc. If will greatly reduce your workload and provide for a more stable work environment for staff. And if it is borked so badly (HDD failure) you just send a new image to the pc so you have a fresh os install afterwards.

Or are you into S&M? :D
 
Last edited:
Hemps said:
What do you recommend?
Click to expand...

Not my field so hopefully someone else can comment. I just know this as I've seen it being used very effectively in industry. Once you have this implemented you will kiss my feet I'm telling you :D
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X