1

I've recently noticed an increase of viruses on my systems. We employ CA eTrust 8.1 for antivirus and all users are "Domain Users", and thus should not have access to install any software on their computer.

On random computer audits I've found malware with Malwarebytes Antimalware that eTrust has missed (realtime scanning is on) - It's found .exe files that I believe were not installed because there didn't seem to be any registry edits. I assume the majority of them are from browsing websites because they seem to be in the IE.5 folders.

What can I do to further prevent viruses from infiltrating my network? eTrust seems to be missing quite a bit with the realtime scanning and I'm not entirely convinced the installation of all .exe's is prohibited (I've had a couple users install Chrome by themselves).

Thanks in advance.

DKNUCKLES
  • 4,028
  • 9
  • 47
  • 60
  • 1
    eTrust is a boiling pile of crapware. I've seen it miss 10 year old viruses regularly. I would suggest looking into replacing it. – Zypher Aug 19 '10 at 14:37
  • 1
    @Zypher: Hear hear... I wouldn't recommend CA software to my worst enemies. (There's that "opinionated sysadmin" coming thru again...) – Evan Anderson Aug 19 '10 at 14:37
  • I wish I could replace CA - it was recommended to me by our IT consultant - we're only a year into our 3 year licensing period. – DKNUCKLES Aug 19 '10 at 14:50
  • 1
    You're going to spend more time/money on fixing issues during the next two years that it would cost you to change to something that actually works. – wolfgangsz Aug 19 '10 at 15:35
  • 1
    Chrome is somewhat special - Google deliberately built it so that it "installs" without requiring Admin rights (by putting the binaries in %USERPROFILE%\Local Settings\Application Data\Google\Chrome). – Adam Aug 19 '10 at 15:37
  • All Click-once-deployed applications do the "chrome" thingie (if wanted)... – Oskar Duveborn Aug 19 '10 at 18:34

3 Answers3

6

I assume your statement 'all users are "Domain Users"' means that your users aren't running w/ local Administrator rights. If they are then fix that before you do anything else.

Even if your users are running with limited accounts, malware is doing a great job of running with limited user rights today (better than a lot of commercial software, frustratingly). Something like software restriction policies is your best bet at stopping these kinds of threats. It's an arms race, and the anti-malware companies are never going to be able to keep up. You need to keep untrusted executables from being able to run-- period.

Of course, software restriction policy doesn't help much with code being executed via buffer/heap overflows, etc. Keeping your OS's and application software patched is a good thing, too.

Filtering HTTP, email, etc, from network traffic (with a "perimeter scanner", etc) for known executable content could probably help, but executables can be can be obscured in transit, so that's not a catch-all solution. The user picking up a USB stick in the car park and plugging it into their computer also won't be detected by a network-based scanner. Scanning network traffic is just a piece of defense-in-depth.

Community
  • 1
Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Sorry - I should have been more clear. The users do not have local admin rights. Thank you for your feedback. – DKNUCKLES Aug 19 '10 at 14:51
1

There are basically two detection points for malware and viruses that infiltrate your network...the perimeter and the desktop/server. It doesn't sound like you have the perimeter guarded in any fashion. I would start there by looking into what's possible. Generally speaking, the perimeter is guarded by some type of antivirus appliance (Cisco, Symantec come to mind).

I would also probably ditch CA in favor of something with a 'better' reputation for catching viruses.

Hopefully by 'Domain Users' you mean your users don't have local admin rights to the workstations? If they DO have local admin rights, you'll want to take that away from them.

GregD
  • 8,713
  • 1
  • 24
  • 36
  • 2
    I interpreted the OP's statement 'all users are "Domain Users"' to mean that the users weren't local administrators. – Evan Anderson Aug 19 '10 at 14:36
  • Geez people. I was in the process of editing my answer when you all decided to downvote me. – GregD Aug 19 '10 at 14:41
1

  1. Make sure your desktops have all critical updates applied. Most of the older exploits have been foiled by updates.

  2. While you may have paid for CA you aren't obligated to use it. At a minimum I'd add Microsoft Security Essentials to your current AV solution.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • +1 for patching, though I'd also add that it must include non-microsoft stuff like adobe flash player, reader and other hugely exploitable third party software... – Oskar Duveborn Aug 19 '10 at 18:37