PC MANAGER MEETING

January 23, 2008

Agenda

Next Meeting Training Windows Policy Main Topic: Windows AV Service Review

Next Meeting

Feb 20th

Week Early! Andy Rader – Talk on Networking diagnostic

tools

Training

Office 2007 classes? Pidgin classes

Windows Policy

Exemption Requests Reviewing Captive and Service account

definitions. Moving to new forms software

Beta Service Packs/OSes and the Fermi Domain No! Naada! Bad System Admin!https://plone4.fnal.gov/P1/WinPol/policies/

Approved-os/

Main Topic

Windows AV Service Review Why The Review? Baseline Requirements Current Implementation Open Discussion regarding service

Why The Review?

AV Service has been available for over 1 year in present state

AV Baseline states:“All systems connected to the Fermilab

network must follow the appropriate FNAL operating system or application baseline requirements for Anti Virus services.”

…updating OSX and Linux baselines…

Baseline Requirements

Major Application The service must be defined in a Moderate

level Major Application Support

99.9% uptime for both server hardware and software

Contingency plan outlining client maintenance for extended outages

24 x7 emergency signature update push and manual scans

Baseline Requirements

Server Updates Signature/threat updates and program updates

from Service Provider minimum 4 times per day

Logging Information Clients and server must retain logging and

history data for 30 days. AV Service must interface with the Fermi

Enterprise Management System AV System must participate in central logging,

alert and notification systems

Baseline Requirements

FNAL Managed Client Settings Signature and program updates check FNAL AV

Service or Service Provider minimum 2 times per day If FNAL Service is unavailable or client cannot access

FNAL network, client must automatically check Service Provider

Clients must be configured for a full scan weekly. Cancelled or failed scans must be logged to the central AV Service.

Scans should check for spyware and adware The software should attempt to clean the infection

then quarantine it

Baseline Requirements

Real time protection must be enabled, but exclusions may be defined for special cases

Alerts must be generated to the local client and to the AV service

Clients must report virus scanning activity and alerts to the central AV service in real time.

Current Implementation

Ken Fidler

Antivirus – Central Facility

To support the majority of the Lab we have a Windows Cluster to run the Central AV infrastructure

A Central AV report server with a SQL database is also used to consolidate data from Beams and our servers

Custom code was created to enhance the central reports and alerting

PRT-AV-CLUST

Antivirus – Alert Flow

Client

Central AV Server

CLOGGER

Cd-sav-rpt

\\prt-av-clust\av_logsListserv

E-mail Alerts

sql

Virus Definitions

Antivirus - Interfaces

Various tools/interfaces are available to Desktop Admins System Center Console Central AV Report Server Client Logs E-mail Alerts Activity logs

Antivirus – Central Console

Central Report Server

Antivirus – Mail Lists

---- Warning ------- ' A VIRUS was reported to our Central anti-virus facility. ' ' Alert: Risk Repaired Computer: Bobs-pc Date: 1/20/2008 Time: 1:53:50 PM Severity: Warning Source: “C:\users\bob\mydocs\Diablo II\diablo2noCD108all\DLoad.exe" User: bob-admin Action Taken: "Leave Alone" Virus that was found: "Backdoor.Graybird" '

Antivirus – Mail Lists

Allows us to target key desktop support groups for their supported systems

Each major group has an assigned mail list AV-ALERT-xx

All alerts go to the master list AV-ALERT-ALL

Mail lists are archived Mail Lists can be configured for Digest

Antivirus - Log files

Antivirus - Logs

Antivirus - History

CD has been using Symantec (formerly Norton) AV software since 1998

Initially AV software only on Servers Besides CD, CD also supported

Directorate, CDF, ESH, FESS, and LSS (now WDRS)

Individual Dept servers were the AV Parent Servers

Antivirus – SAV version 10

Symantec announces version 10 in Spring 2005

Version 10 had built-in features to report and centralize services

CD began plans to build a centralized AV system

CD worked with CST on our configuration (many DOE audits underway)

Antivirus – Upgrade to Ver. 10 Summer 2005 - Setup new central

cluster FALL 2005 - Created central log files, and

alert system to accommodate various desktop support groups

Early 2006 - Migrated CD, Directorate, ESH, FESS, LSS (now WDRS)

March 2006 - Symantec announces 10.1 – (Central Report Server)

Antivirus – SAV 10.1

Summer 2006 – Began migration to 10.1 and migrated PPD, TD, and Dzero to our central facility

Summer 2006 – Began testing Report Server

Fall 2006 – Migration complete Early 2007 – Production Report Server

activated with Beams AV connected in Late 2007 - Symantec announces

version 11

Antivirus – Documentation

AV Baseline cd-doc-1460 Major Application

AV Risk Assessment cd-doc-1529 AV Contingency Plan cd-doc-1531 AV Security Plan cd-doc-1530

Central AV Website http://www-css.fnal.gov/csi/win-av/

Open Discussion

Some Thoughts Apply policies based on Active Directory

structure Delegation of console interface Small footprint One package/console for all supported OS

Likes Dislikes Suggestions?