"How come my machines got infected even though I had the antivirus installed?"
Is a question we hear all too often and is usually either a missed detection of a new threat (not yet in the definitions) or most likely due to "bad" system administration.
Unfortunately these days installing a firewall at the internet connection and antivirus software on the machines is just not enough, and you would be mistaken to believe you are protected. Here is a short, non exhaustive list of some easy steps that generally needs to be done to greatly reduce the possibility of threat outbreaks and attacks.
1/ Operating system updates
Surprisingly, the importance of keeping the systems up to date with security patches is often under estimated and is overlooked until an incident occurs that could have been prevented simply by updating the systems.
In my opinion, any network over 30 machines should have a Windows System Update Services (WSUS) server and regularly (monthly or more) update all the machines on the network.
WSUS offer the possibility to test all the updates for potential incompatibilities on your network if needed. And while this understandably adds extra work for the Administrator, it may save you from a week end of running virus scans in safe mode on all your machines, or worse, loss or theft of sensitive data.
WSUS offer the possibility to test all the updates for potential incompatibilities on your network if needed. And while this understandably adds extra work for the Administrator, it may save you from a week end of running virus scans in safe mode on all your machines, or worse, loss or theft of sensitive data.
2/ Antivirus software loses most of its effectiveness without up-to-date definitions
It is important to audit virus definitions updates on your network. make sure all your AV clients report to the management servers, and that reports are regularly run and discrepancies investigated. Do not hesitate to contact AV support if you are not able to figure out why definitions are not updated by yourself and do not let it drag on longer than necessary.
Yes, Antivirus software needs maintenance and monitoring.
3/ Disable Autorun/Autoplay feature
Many threat outbreaks happen because an unsuspected employee plugged in a USB Thumb stick that happened to be infected, although this could have been simply avoided by disabling autorun in Windows.
I have personally never heard of an occurrence where this feature was needed in an enterprise network, and is potentially a gateway from threats to go through. It will also prevent many threat that drop autorun.inf files on shared drives from propagating.
No comments:
Post a Comment