Announcement

Collapse
No announcement yet.

security tips to curb virus menace

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • security tips to curb virus menace

    Hi Friends,

    I need some security tips from u all guys. Hope u experts will rescue me. Here goes my question. My environment consists of about 1000 nodes (500 windows + 500 linux boxes). We use Trend Micro office scan corporate edition. And vexira antivirus is installed in the mail server(sendmail). And also our firewall is capable of virus scanning for smtp traffic. We have one squid proxy server(linux) which directly present under DMZ zone.

    Our network is infected with lovgate, funlove, dborm virus. These are the 3 top virus show in my antivirus web console. And some other viruses are also present significantly tuntra, javebyteversion etc.,

    How do i eradicate this virus menace completely from my network. Normaly What are all the loopholes and the entry point thru which it enters into my network.


    Thru mail-server it cannt, because the anti-virus product which we have installed very well protects from the virus which spreads thru email. Is it spreading thru proxy server, but it is linux box.

    Pls help me and share ur valuable suggestions/thouhts.

    Regards,
    SKM

  • #2
    if you're proxy is lunix or not, doens't care. proxy routes you only to the internet....

    so first of all, does you're clients have a virusscanner? (espessially the Windows machines?)
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      hi,

      All the windows machines are installed with trend micro anti virus scanner.

      skm

      Comment


      • #4
        do you have a gateway scanner and is trend micro centralized manageble? if so, start a on demand scan on you're windows machines first.
        i personly have a bad taste of trend micro.

        we have (on our customer) a trend micro interscan as gateway scanner, and still does mcafee catch virusses... netsky.p for example...
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          What ports do you currently have open to the outside world???

          Many viruses these days are quite advanced, once they infect, they will broadcast information about the host machine to the internet, and will also listen for this information.

          Once a virus picks up this information, it's like a key to re-infect the computer, so if you clean it off, but dont fix the "open door", a new virus will come through and re-infect.

          First of all, close ALL TCP and UDP ports you do not require, this will leave less of an opening for the virus to come in on, and if any trojans are present and not known on your systems, it will also limit/stop them from functioning as well.

          Second, if Trend hasn't stopped these viruses (not sure if you had Trend before or after infrection, but assuming before the infection here), it might be worth looking at a better virus scanner. I use Trend with 12 hour updates in the office, but I use Norton antivirus at home, which has live updates every 6 hours. I have also set up IBM Antivirus scanner at a client's office, which searches for updates every 2 hours, and I believe this is probably the strongest AV program I have found so-far, with a protection list which is double that of the other 2 mentioned programs combined.

          Third, Any of the PC's infected should be pulled from the LAN until cleaned and protected, make them standalone, and they cant infect other systems, last thing you need is to clean 1 machine, and find it has infected 4 others during the cleaning up time, if this happens, your fighting a loosing battle.

          I am also hoping that you have AV on all computers, not just all gateway systems.

          Run a program called Ad-Aware on your Windows based systems, this program is great at picking up trojans that are hidden in the registry, and trojans hold ports open, open ports invite viruses.

          I wil you the best of luck, BTW, how many computers are infected (percentage wise) on your network?

          B.

          Comment


          • #6
            Yes it is centrally managable, -- officescan corporate edtion. I dont have gateway scanner. But my firewall is capable of scanning for virus, and my mail server is installed with vexira anti virus scanner. So virus spreading thru mail is effectively filtered.

            What are the other possible ways which a virus can enter into a LAN network.


            Note: All the floppy drives are disabled in my LAN.


            skm

            Comment


            • #7
              Originally posted by skm_mail
              What are the other possible ways which a virus can enter into a LAN network.


              Note: All the floppy drives are disabled in my LAN.
              As mentioned previously, close ALL ports that you do not require.

              Open LAN's are always a haven for virus activity, because the viruses are programmed to scout for open port, usually ports above 1000, but some times lower as well.

              Close your LAN and make it nice and tight, if managed correctly, you will not suffer any loss of services, except for less virus activity.

              B.

              Comment


              • #8
                Hi,

                Close your LAN and make it nice and tight, if managed correctly, you will not suffer any loss of services, except for less virus activity.
                Indeed all the unnessary ports closed in the firewall i.e., only required ports are open and everything else closed. But the virus activity are present in the LAN and you have said

                except for less virus activity.
                The less virus activity from where it originates, any idea or tools/script to find the origin.

                skm

                Comment


                • #9
                  you could run packet traces to find where the viruses are broadcasting from, but seeing as you know about them already, I would have to think you know which computers they are on.

                  At this point I would suggest starting to take computers off the network and cleaning them individually, maybe backing up all the important data (you should be doing anyway), imaging a clean system, and just re-applying the clean image to all the other systems and starting them from scratch.

                  The way my home network runs is I have 5 systems, 3 are compaq PC's of equal of very close specs, 1 is a server which holds everything, and the other is my laptop.

                  I have an image for the 3 compaq computers, and if I get viruses and other issues, I just push the image onto the system, wiping everything and starting again, it takes about 9 mins for each PC.

                  My server then puts all the programs back across via the network and the only thing I need to change in the entire process is the Computer's IP address which is set as xxx.xxx.xxx.254 on my clean image.

                  B.

                  Comment


                  • #10
                    run stinger from mcafee in the logonscript.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment

                    Working...
                    X