Advice on preventing Internet Security 2010, Sysguard, etc.

[rshendrix]

We are having a few users continually getting infected with some of the latest security hoax trojans. What are others using to prevent this sort of thing?

We have Trend Micro AV installed and try to constantly educate on not clicking on every thing that pops up. Just looking for some advice on how others are handling this.

Thanks.

 

[kjv1611]

When you say users, what type setup are you talking about? A large corporate setup, or a small business or home users or what?

Thanks.

--

"If to err is human, then I must be some kind of human!" -Me

 

[rshendrix]

Small business with 75-100 users.

 

[kjv1611]

Though I've not used it, it's often mentioned as being possibly the best paid AV software: NOD32 by Eset.

Also, that definitely seems large enough, in my opinion, to look into something like Sophos.

There are of course other options, such as using your own or different DNS servers, so that you can have better control over what is/is not allowed through the network.

Also, there are different web filter companies out there that also help to disallow access to bad content, such as malware.

There's Blue Coat, and there's WebSense, at least that's 2 that come to my mind. We use WebSense where I work, and I think it works very well, from what little I've seen from a user perspective. For Blue Coat, I've not seen their corporate stuff, but their k9 protection for home users seems great.

--

"If to err is human, then I must be some kind of human!" -Me

 

[jdeane]

Currently a lot of scareware is being installed on the fly using adapted pdf files which by default open automatically in your browser without prompting, the enclosed javascript can then run and do what it wants without prompts.

Make sure that you turn off the Javascript option within Adobe reader to help prevent infection.

Also there is a new alert out for Adobe Reader:-

http://www.eset.com/threat-center/blog/2010/01/04/adobe-javascript-and-the-cve-2009-4324-exploit

 

[Davetoo]

Internet Security 2010 is exploiting something within IE 8 to infect systems.

I was surfing the web Sunday morning with multiple windows open but not having clicked on anything or opened anything when it infected my machine at the house.

Obviously I took care of it immediately, but it gave me a better insight as to my users saying they didn't do anything...I saw first hand you don't have to click on anything to get infected. I have always recommended AVG...but there it sat, not alerting/preventing a damn thing.

I'm trying out Kaspersky right now at the house to see how that works. At the office I use the Trend product and am currently on a migration path to get the latest version, which is 10, across my network.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[kjv1611]

At least for home, I'd suggest Avira Antivir over Trend Micro. Or you can always go with Nod32. I've not tried Nod32, but I've yet to read of anyone giving anything but praise for it. I use Avira b/c it's free, and is the closest thing to Nod32 - better in some tests - that I'm aware of.

I too used AVG before. It's not bad, but it's not as good as Avira or Nod32. And it seems AVG isn't as good as it used to be - system performance and detection.

Also, what firewall were you using? I'd suggest one of these:
#1 - unless using a 64 bit system - Online Armor by Tall Emu.
#2 - Comodo Internet Security - 32 or 64 bit.

--

"If to err is human, then I must be some kind of human!" -Me

 

[cmeagan656]

We've had a few attempted infections (all in a 3 hour period) but no infections because we don't give our users admin rights, either locally or on the domain. Unless your users need admin rights then set them up as normal, or limited, users. Even if your AV is up-to-date there's a chance for viruses to slip through because all AV companies need a sample of the virus to build a defense against it.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.

Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

 

[kjv1611]

Yeah, that is a very good suggestion, cmeagan656, that I always seem to forget. Mainly b/c it annoys me to no end when I try to run as a limited user at home.

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

1. Don't let the users run as ADMIN (clearly the number one issue - especially on a corporate network that large!!!!!)
2. Keep Windows updates up to date.
3. Use Firefox vs. IE but keep IE up to date anyway
4. Keep Acrobat, Flash, Shockwave, Java up to date
5. Beat users that repeatedly get infections
6. Install MBAM on every PC and give users a handout on how to update it and use it. If you have to pay for it, it would be worth it (since I'd imagine it's not free for corporate use - though I never studied the EULA.

 

[cmeagan656]

@kjv

Except for installing MS updates (I have auto updates set to notify only, not install), a new printer/scanner/copier, and installing software I haven't run logged on as an administrative user in over 3 years.

If there is something that needs to run as an administrator I just right click on the shortcut and select "run as" and then enter my admin account logon credentials. Alternatively, I'll open a cmd box using "run as". Anything you do at the cmd line when you open it as "run as" and enter your administrator credentials runs as though you were logged on as an administrator.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.

Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

 

[electronicsfreak]

5. Beat users that repeatedly get infections lmao

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[goombawaho]

Yes - 5 is very important and not far from the truth. Not the beating part, but users that repeatedly get malware usually have a behavior problem - where they're going on the internet and whether it's business or personal can affect your risk for an infection.

 

[electronicsfreak]

Yeah I realize that, and it is true. It is just the way you worded it, made me laugh lol.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[goombawaho]

Believe me, I would really love to have actually beaten some of my users. They were such arrogant and selfish %)$%+##%s. They did whatever they pleased in terms of internet browsing while at work and customized their laptops for their own use as a HOME computer. They installed home printers and camera software, etc.

Having wimpy management staff/IT management is a killer for IT administrative types.

 

[electronicsfreak]

goombawaho
Why not restrict it to certain sites, and have everything else blocked? Like modify host file and mark it read only, and only allow admins into the windows folder?

I have never worked for a company for that type, only to install new equipment and/or upgrade software. So my question my come across stupid lol.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[supertech2000]

goombawaho
tell your users that the internet responsibily form that they signed specifically states that they are not allowed to install any software on the company issued computer or they will lose privelages or be terminated.

 

[goombawaho]

I don't have users any more, so it's not my issue. I was speaking of past experiences with the hoards of users. I USED to have when I was an admin.

Plus it was an HR function and neither HR nor IT management wanted to enforce any policies. Crazy but true.

 

[supertech2000]

goombawaho
I hear ya. I've seen it myself with other issues in my company.

 

[ronin77]

From my customers, I am seeing infections through pretty much ALL security apps -- including Avira and Eset (which are two of the "top three" I recommend -- the third being Kaspersky.)

This is just a limited observation, of course. I'm just a "one-tech shop".