Anti virus and network admins please read - UPDATED W FIX

[Smilin]

What are you folks out there doing about bugbear, klez and all the others that spoof a return address?

I'm using 3 layer protection here: at the SMTP gateway, at the servers (including internal mail servers) and at the desktop.
Problem is: the desktop team drops the ball and leaves antivirus off of our PC's sometimes and I'll end up with an infection. If the virus sends an infected email I'll catch it at the internal email server and I can dig through the logs to find out where it came from. There's a couple other ways to track down an unprotected/infected PC but these new viruses that spoof the return address are a b1tch.

I'm curious if anyone else out there has developed some method or practice for dealing with this crap. Or has figured out a way to find out where infected mails are coming from without having the headers on the original email.

I'm currently running a portscan to see if I can catch the backdoor program that bugbear leaves.

Any help or suggestions would be great, thanks!

 

[mechBgon]

We use McAfee, including ePolicy Orchestrator to run the show centrally.

I used the McAfee installation designer to make a pre-configured VirusScan installer (VirusScan being their desktop product). Then I fussed around with ePolicy Orchestrator until I figured out how to add my customized VirusScan installer to ePO's "pantry," if you will.

ePO can force-install the ePO Agent remotely onto any system within our domain. That's all I need to do, just push an Agent onto a system from the ePO Console. Once the agent is installed, it will then force-install VirusScan within an hour, maintain its configuration, restart it if it crashes, and report any infections to ePO, which puts them in graphs and tables so you can check up on them in great detail. A quick glance at the Queries > Virus Alerts and Queries > Virus Attacks, and I know who, what, when, and which system.

ePO also takes over the tasks, so I set it to hourly virus definition updates and a daily HDD scan at 12:10PM, except for some users with odd lunchtimes (you can apply a blanket setting to the domain, then change individual systems as needed). If there's an urgent need for a domain-wide virus-definition update, I can add an update as a scheduled task for "Immediately," send an Agent Wake-Up Call out to the domain, and the systems will see the new task and execute it.

I have mine set up so that only an Administrator-class user can mess with VirusScan (turn it off, for example, or see the settings). Even then, they need a password to change settings, and if they shut VirusScan off, ePO Agent will turn it back on within five minutes. Since we don't have our users be Administrator-class users, but rather Restricted Users, it's pretty close to ironclad. 🙂

 

[mechBgon]

On a practical note, what antivirus software are you using there, and does it offer central administration along those lines?

Assuming you use Win2000 or WinXP, another potentially-useful tool is to find a de-wormer utility, put it in a shared folder on the server, then make a .bat file that will run the utility from its network location.

Now fire up Internet Explorer, browse to \\computername\C$, dump a copy of the .bat file into the suspected system's C: drive, then go into Network Neighborhood, find the computer, go into its Scheduled Tasks, and have it run C:\deworm.bat or whatever you called it, as a Scheduled Task started in the C:\ drive. The computer will hopefully run the .bat file, which then runs the dewormer utility from its network location and gets rid of the problem. Adapt as needed for your situation, I don't know for a fact that this works on WinXP.

 

[RustyNale]

We use Symantec Corp Edition AV, and it's worked nicely for every company we've installed it at. It offers centralized admin for your entire network. It's server based, and can handle multiple servers.

 

[Smilin]

We're using a mix of Symantec Antivirus 7.5, 7.6 and 8.0

It does all the usual functions: remote rollout of client software, automatic definition updates and all that. Good stuff, I've been really happy with symantec.

Thing that's killing me: I've got a handful of clients that DONT have antivirus and it's pain to track them down. If I knew who didn't have it I could fix it with a couple clicks. I had every PC in the company protected when I rolled this stuff out but my coworkers are, for all practical purposes, slowly undoing my work by reimaging old PCs or rolling out new ones without AV.

 

[mechBgon]

Hmm, well if Symantec offers a centralized management setup, it's probably worth what it costs... ePolicy Orchestrator will report what systems do and don't have AV protection, as well as what virus definitions they're using. Actually, it's supposed to work with Norton clients, not just McAfee VirusScan clients.

If you are logged in as the domain's Administrator on your own system, try this (instructions fit Win2000, adapt as needed for WinXP):

Start > Settings > Control Panel > Administrative Tools > Computer Management.

Now right-click Computer Management (local) and choose Connect to another computer. Pick the one you want to check out, then expand System Information > Software Environment > Running Tasks and give it about 15 seconds. This will show you what's running on that computer, including antivirus software, spyware, apps, whatever.

Alternately/additionally, you can log onto your system as Administrator, start Internet Explorer, and type \\computername\c$ in the address bar to browse the hard drive of the computer you named. You can check for the presence of the antivirus software as well as whatever other junk your users are trying to ream their systems with 😛

Hope that helps 🙂

 

[Smilin]

I can remotely check if a computer has antivirus or not pretty easily and add it if it doesn't. The trick is I need them to come to me! I can't check each and every 1200+ computers. before return address spoofing if someone was infected it would trip an alarm when they tried to email and I'd jump on it and install antivirus.

One trick I've come up with for bugbear at least is to portscan my network for 1080 which is used by the backdoor device in the bugbear worm. I've snagged two that way. Waiting for an infection to occur isn't the ideal way to check for antivirus software though 🙁

This would all be so much easier if the desktop folks had kept my initial rollout up to date - I might just have to go do a rollout project again to get things back under control.

 

[Bleep]

Problem is: the desktop team drops the ball and leaves antivirus off of our PC's

You just need to get with the desktop team and bust a few heads. They must be a bunch of ignorant workers.

Bleep

 

[mechBgon]

Smilin, aside from the excellent advice by Bleep 😀 doesn't your central-administration console have a way to tell you which computers don't have AV software installed? What is the name of Symantec's central-admin program, I'll try to help you look that up.

I do agree with Bleep, if those guys can't do their job right, maybe you should offer it to someone else.

 

[Smilin]

Bash heads haha. My fist is already sore. I've turned the issue over to management but nothing is being done.

My final solution: I'm rolling out the newest AV software *everywhere* as if it's not been installed at all. After the rollout I'm done. I'm sick of fixing it and then having others break it so I'm just going to turn the whole thing over to the 'others' to deal with.

mechBgon: I'm using the Symantec System Center console. It operates in somewhat of a passive mode. It doesn't actively go out and find clients that need installs or definition updates, rather it provides 'services' to those clients that check in with the server. Some sort of discovery for missing clients would be nice but that's my only complaint with the management software. This new rollout should go pretty quick - I just provide a text file withthe list of IP's and it's done.

 

[Smilin]

AHA!

the anti-virus gods are smilin upon me.

I just got the new SAV 8.1 upgrade in the mail and guess what they added? The ability to probe your network for clients that don't have antivirus installed! That was it. Symantec just fixed my one and only gripe with their software. They had a shining good reputation with me and now they've fixed their only smudge on it.

Ask not for whom the bell tolls, bugbear.

 

[redbeard1]

Have they figured out how to probe and then push to win98 machines? We did a big install for a customer, and the win2k/XP systems were easy, but we had to run around to his handfull of 98 systems with a cd to do the install.

 

[Smilin]

I think it can if you have user-lever sharing enabled on the 9x machines. Not real sure. I usually install those by remoting into the pc and just running the 'pre-configured' install from a share.

I hate win 9x.