So for the guys out there who have read a few of my blogs, they know that before I came to eGroup I spent 11 years on the customer facing side of IT, administering storage, VMware, Citrix, etc.. One of my roles during that time period was also managing antivirus on desktops and servers, a fairly critical task because no one wants to have a major virus outbreak. It was never a fun task though, DATs were a pain, so was versioning, and hoping that it was working and that it was actually updating never made you feel good! Well, as I made the jump to my new career at eGroup I had my eyes opened to a new world of technology that I had not been exposed to previously, one of those was Trend Micro’s Deep Security. As a VMware administrator I played around with different antivirus solutions trying to find one that didn’t impact CPU utilization on my hosts and virtual machines severely, if it was an antivirus solution I tried it at least once and yet all of them seemed to impact my VM’s CPU ranging from about 10% to sometimes closer to 30%. I always thought this was ridiculous and that there had to be a better way, well apparently the guys at Trend thought so as well and came up with a solution. Read more after the bump to see how it works! Read more >>
I had some major problems deploying Trend OfficeScan version 10 to Windows Vista this week. Specifically, I was getting this error:
To install on a remote computer, use an account with administrator privileges. If the target computer is running Windows XP or Vista Basic, remote installation cannot proceed because there is no remote registry service on these platforms.
Read more >>
New OfficeScan 10 delivers immediate protection for your desktops, laptops, servers, smartphones, and storage devices. This innovative solution combines world-class anti-malware with new File Reputation and Web Reputation security to stop threats in the cloud and remove the burden from your endpoints, reducing endpoint infections up to 5.4% and cutting management time by 25%. Read more >>
Here’s some interesting reading related to the Downadup virus from the SANS NewsBites newsletter. SANS is a computer security training organization (http://www.sans.org/)
–How One Company Cleaned Up The Thumb Drive Attacks- And Learned A Lot In The Process.
From the editor of SANS NewsBites: I received a fascinating note from a manager who registered three people for SANS training this winter despite a corporate ban on nearly all travel and training for the first half of 2009. I had known about his company’s ban so when I saw the three registrations come in, I wrote and asked him what happened. His answer is enlightening; it has to do with the thumb drive infections that are hitting so many people.
Here’s his answer to “Why Did You Send People to SANS This Year When You Have a Ban on Training and Travel?”
Take a closer look; you’ll find that 12 or 13 people are coming from (company) to SANS in Orlando, not just my three. The others are coming from other divisions. Here’s why. You remember the big wave of attacks last November where infections were spread by thumb drives. We got hit by that. It is amazing how often people use those things. It spread to dozens of Windows file servers, and from there jumped to thousands of workstation systems. It clogged our networks. It was so bad a lot of machines, including the ones on the top floor of this building, had to be taken off line – and that got some unwanted visibility from the CEO.
We called both our AV vendors but neither had a signature for this virus yet. It took a long time and a lot of pain before we found all the machines that were hit, stop the spread to new machines, and got rid of the (expletive deleted) thing. The whole company – every US division and international was affected.
So what does that have to do with my guys going to SANS? It turns out our CEO was in the UK visiting our facility there and somehow the topic of the virus came up and our UK manager told him it had hardly been a problem at all in the UK. He said his security guys found it within a few minutes and cleaned it out. As you might imagine the CEO’s follow-up email to me was unpleasant. So I called my counterpart in the UK and asked him how he had dealt with the attack so easily. He told me one of his guys knew what to do immediately. He said used the built-in Windows WMIC command to find systems with the malware processes running and that also told him about the changes made by the malware. Then, he used the reg command to remove an entry from the auto-start capabilities of infected machines to stop the malware from running on startup. He also said the reg command let him change the USB and CD/DVD autorun function to stop similar infections. After shutting down the malware and stopping it from spreading, he said he used a couple more techniques to clean up the infected machines quickly. I asked where his guy learned all that. He said at SANS, in a course called 504 which I later learned was your Hacker Exploits and incident Handling class. I reported that back to our CEO. He told me to make sure every division had at least two people who knew those techniques. So, our travel ban was lifted for SANS.
Here’s a link to info on the WMIC command: http://technet.microsoft.com/en-us/library/bb742610.aspx?ppud=4
Jonathan Webster, eGroup