0

I printed out a list of the top 25 infected machines (associate machines only) a bit of detail.

Associate machines are only for sales associate. The domain login is the same for every machine, associates are provided internet, email, and in-house programs to complete CRMS, web leads, in-store sales and so on. They are allowed to go to vendor websites and research diamond information online.

On the report that I have, there are some associate used machines that have 100+ threat counts for one month (this is high threats to low threats).

For the use of the computers, we have determined that 50 threats (this includes tracking cookies) should be more than what they receive in one month...there are only 10 - 15 vendor websites that they should be accessing.

What is a good way to control and reduce the threat count on these machines? I use opendns to block specific categories of websites (there are a lot of categories blocked).

  • I use SunBelt's VIPRE enterprise, and have antivirus agents installed on every machine in the company doing a quickscan at 12AM, and then a deep scan at 9PM daily.
  • Group polices are in-place to prevent certain changes and so forth. Some of the machines allow the domain logon as administrator, some do not. There have been some issues with this.
  • we have McAfee mxlogic spam filters as a 'cloud' that filters all incoming and outgoing email from our exchange server, delivering it to outlook mailbox with in-house spam policies as well (content and so forth).
  • WSUS runs updates every Tuesday from the server.

Looking for some feedback on how to control these threat counts.

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
Jeff
  • 1,089
  • 5
  • 26
  • 46
  • 6
    I'm sorry but if someone is counting cookies as "threats" then this problem is based on some wrong assumptions right from the start. – Rob Moir Apr 21 '11 at 14:01
  • @Robert Moir i dont care about cookies that why i throw 50 or so in there for cookies. VIPRE antivirus picks them up as low threats, with 10-15 vendor sites (cookies not flushed monthly) i gave room for 50 'so called threats' – Jeff Apr 21 '11 at 14:03
  • my concern is a computer with 185+ threats that should only be accessing 10-15 vendor websites – Jeff Apr 21 '11 at 14:03
  • 2
    Then that's a HR issue. You deal with it by warning the employee that they will be formally disciplined if they abuse the company resources. – Rob Moir Apr 21 '11 at 14:05
  • Thats the approach we are thinking of taking - but i always like to get feed back from here incase i am overlooking something. – Jeff Apr 21 '11 at 14:06

3 Answers3

5

This is almost a HR issue but without detail it's difficult to say.

Here you'd need to look at what the threats are that are being listed. There is an IT/change management issue here if activities are being characterised as threats incorrectly by the software and another if something is characterised as a threat but the employee is not misusing resources.

Beyond that I agree with Robert that this is a HR issue

Paul D'Ambra
  • 1,082
  • 1
  • 13
  • 22
  • here is some stats for threats. Registry: 64, files: 13, cookies: 9 for one of the machines there is some malware, some are toolbars that they shoudl have, and so forth. I just wanted to check to make sure i myself was doing everything needed - im just going to turn this over to HR – Jeff Apr 21 '11 at 14:24
1

In similar situation I finally blocked everything but those 10-15 vendor sites. Can you do that to your associates?

It is strange that your anti-virus is able to find threats only after PC got infected.

alexm
  • 458
  • 3
  • 11
  • i have brought that to the attention of management.. trying to have pre-approved lists and add things as necessary.. it got shot down pretty quick however. – Jeff Apr 21 '11 at 18:30
  • the antivirus always picked the threats up, but after the infection i ran a 'top 25 infected machine' report and gave it to management. one machine had 185 detected threats in 1 month and management wasn't to happy about it. however my preapproved idea is still shot dead – Jeff Apr 21 '11 at 18:31
1

I know that my outlook is pretty different than most in IT - I work at a university, we have zero control over client machines, everything we do is network-based.

How about just putting those associates machines in their own VLAN, and then creating rules on the router or firewall to block traffic to EVERYTHING but the sites they should be getting to? Even a simple open source router/firewall like Vyatta, with Squid URL filter, should do the job fine...

Jason Antman
  • 1,536
  • 1
  • 12
  • 24
  • i got a cisco asa 5500 - id have to do some research tho not 100% sure how set all that up but i like the idea – Jeff Apr 21 '11 at 19:53