How do we deal viruses in the office?

2010-06-02T12:19:00.001-07:00

In recent months, malicious threats to your computing environment have reached a new level. There has been a marked increase over the past year in a whole new level of threats, which have previously been referred to as “spyware”. But these evolving threats are much more dangerous than simple, traditional spyware. They are now being referred to as a whole new class of threat – “malware”. Like traditional spyware, whose main goal was to collect marketing information, malware has the ability to gain control over your PC, and run its own programs without your consent. Malware may consist of any of the following: spyware, trojans, keyloggers, rootkit infections, and phishing scams.

The dangers that these threats present include but are not limited to poor PC performance, information disclosure, the invitation for additional threats to infect your PC, password disclosure (through keylogging), and finally, a completely unusable system. The worst aspect of this is the cost of removal involved in returning the infected PC to a clean state.

Traditional antivirus software is not equipped to handle these new threats, and as such a whole new breed of anti-spyware / anti-malware software has sprung up. Tri-Bry strongly recommends the addition of the anti-malware module to your current antivirus solution.

It should be recognized that a spyware protection package for client PCs is not guaranteed to eliminate all threats, and should not be considered as the sole level of defense against malicious threats. No antivirus or anti-spyware program is perfect. They all rely on definitions of known threats, and since the malicious programs are always evolving, there will always be a percentage of threats that could slip through.

As such, Tri-Bry also recommends a multi-layered approach to threat mitigation, leveraging traffic scanning at the internet gateway / firewall, in addition to email scanning and content filtering.

Many threats still come in through email, especially the recent preponderance of rootkit infections and phishing scams. Your current spam filtering solution should not be considered a defense against these threats. Though it marks most of them as spam, it is not designed to block access to email attachments or links in email, even though a particular email might land in a user’s SPAM folder. AV scanning at the email server level is still highly important, and it will be preserved and improved by the upgrade to CA Threat Manager.

However, due to the fact that no one software vendor is perfect, we highly recommend the enablement of additional protection features for your network as a whole. This is the multi-layered / multi-vendor approach.

Most of you have firewalls that include the ability to license and enable traffic scanning at the gateway level. This type of additional scanning should be employed to hedge your bets on preventing the malicious activity from ever entering your private network in the first place. Firewall scanning might include and additional layer of spam filtering, an additional layer of antivirus scanning, and additional layer of spyware scanning, and an Intrusion Prevention system which scans for known hacking attempts and dangerous traffic patterns.

If enabled, these additional layers of protection will also subject your internet traffic to another vendor’s security definitions and virus signatures. This is what is meant by a multi-vendor approach. In this scenario, the software deployed at the server and desktop levels are the equivalent of a “last line of defense” to protect your assets.

Another measure of defense that can be employed at the firewall level, or at the server level is content filtering. Basically, this is a means of preventing users from browsing to certain sites on the internet, based on pre-defined and / or customized rules. Content filtering stops users from viewing websites that might contain illicit content, and at the same time helps enforce your corporate internet usage policy. The bonus is that it may also help direct users away from sites and activities that could end in infection. Such activities may include going to Facebook, MySpace, and other social networking sites, which have known security vulnerabilities and virus activity surrounding them. Or, they might include streaming audio and video activities, which sometimes may require the installation of a 3rd party browser plugin – another opportunity for the user to unknowingly invite infection.

As always, another very important aspect of defending your network, and also considered a “last line of defense” is the security patch level of your network PCs and servers. It remains, as always, of utmost importance to take advantage of the free utilities provided by Microsoft to automate the process of keeping your PCs up to date. Most customers have already implemented WSUS (Windows Server Update Services) but the service and application requires regular maintenance to approve new service packs and updates. Periodic oversight and reporting should be adopted as procedure, so that the product is tailored to your organization’s needs, and you can rest assured that your machines are always up to date.

Please feel free to contact us to discuss an enhanced internet security approach that is tailored to your company’s needs.

Tri-Bry

Best Practices with David

How do we deal viruses in the office?