september 29, 2009computer security awareness day1 fermilab

September 29, 2009Computer Security Awareness Day 1

Fermilab

• Why are we here?• Current environment• How are machines getting infected?• Improvements (timeline)• Weekly AV scan changes• What is Tissue?• AV Notice TIssue Detector• Rebuilds vs fixes• AV service enhancements• Help us to help you• Blocked? Getting help…• Questions?


AV Protection for ~3000 Windows systems Volume of AV notices via Email

◦ ~1000 per month A single machine can generate several notices Too many for any one person to filter by hand

◦ Manual response Can be unreliable No priority

No official procedures prior to May 2009 Tune IT Up requirement


Symantec AV corporate edition 10◦ multiple parent servers to support Fermilab◦ servers report into a central AV Report server◦ system is configured to download and advertise

new signature files every 15 minutes If away from the lab: clients are configured to

download new sig files from Symantec once a day◦ clients are configured to perform a full scan once

a week (most are set for Tuesday 2AM)◦ clients use heuristics in addition to the standard

signature based realtime protection.


AV alone cannot cover all malware◦ Malware being written at a high rate, a challenge

for AV manufactures to keep up◦ Now needed - Antivirus, Antispyware, firewall,

intrusion prevention, device and application control

◦ Local admin permissions Domain and local accounts

◦ USB devices Autorun & Autoplay can allow malware

◦ Web browsing Business need web browsing Non-business casual web browsing


Malware runs in memory

Attempt to write Rootkit to file systemAV does real-time file scan after file is closed

Malware

Normal web surfing

Request Rootkit from the cloud


Malware

Malware

Malware

Web Proxy Server◦ Applied to 98% of the network subnets at the lab

Disable Autorun◦ prevents malware from auto-running on USB

device insertion Restricting web access via domain

◦ Applies to machines with critical business needs Restore points - 2 options

◦ disable restore to remove malware, then re-enable◦ rebuild

Weekly AV Scan changes – next slide


Scans may be postponed four times ◦ instead of cancels

Tested new setting for several weeks with no problems

Staged rollout throughout the end of the year



Tracking Issue workflow system◦ Strong Authentication violations◦ OS patching levels◦ Network inventory◦ Antivirus Notices

Monitors the central logging repository◦ Blocks are issued based on parameter settings


Registered system administrators will get notified

Issue must be properly remediated or the system will be blocked

You will be blocked again if the problem is not actually fixed


This email is automatically generated, do not reply. The system listed below is registered to you as a sysadmin.

A network block for this system (described below) has been requested by Computer Security.

Please visit:https://nimisrva.fnal.gov/WF/TIssue/event_mgr/displayRemediationForm?machine_id=34754to view more details about the vulnerability found and to enter the action taken to fix the vulnerability.

Note: If this event is not remediated, the system will be blocked from network access at None

Here is a description of the host/sms check:IP Address: 131.225.xx.xxMAC Address: 00:00:00:00:00:00Node name: xxxxxxxxxAffiliation: xx/xx/xxx/xxxxxxxxxxxxxxxxxLast found: 2009-09-22 13:08:41Issue: Virus Found (Blocking Event)Additional Info:Class/Action/Location trigger:Host:xxxxxxxxxxxxIP:131.225.xx.xxUSER:xxxxxxxxxClass/Action/Location triggers: Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion ) Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion ) Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion )

THIS IS A BLOCK EVENT.

If you experience difficulties resolving this issue or require additional assistance, please contact the FNAL Service Desk (x2345) to open a ticket to be routed to your local desktop or server support group.

Previously each notice was manually reviewed Now automated - virus notices are sorted and

filtered◦ Notices are flagged that require follow-up

All other AV notices are ignoredo Started by using criteria that matched our current AV

experienceo Criteria changes will be made from Windows Policy

Committee proposal vote


Follow-up criteria◦ Virus type blocks

Root kits, keyloggers, information stealing, etc◦ File location blocks

Operating system, application program, etc Departmental file servers are exempt from

blocks


Number of rebuilds are small versus the number of identified viruses

Rebuild if virus types meet criteria◦ such as Hacktool.Rootkit & downadup (aka Confiker)

Rebuild if infected files are in protected system areas◦ such as Windows, WINNT, System, System32

Fix if virus is in restore point Ignore notices in temporary internet file areas

and non-system areas


Working with vendor to identify detected malware

Review and upgrade current solution◦ Endpoint Security Protection

Antivirus Antispyware Firewall intrusion prevention device and application control


If you are blocked please tell us if:◦ you have recently borrowed a flash-drive/memory

stick◦ you have opened an email attachment

especially from your non-Fermi account◦ you have browsed business related web sites◦ you have browsed casual web sites

Providing detailed information may help problem resolution and future enhancements


Email notice goes to the registered system administrator◦ When your machine gets blocked you may not

receive an email notice. Contact the Service Desk at x2345

◦ If you suspect you have been blocked ask that the TIssue site be checked Need to provide username, nodename, IP address

etc.


Thank you for attending!


september 29, 2009computer security awareness day1 fermilab

Documents

central av report serversystem

realtime file scan

new signature files

new sig files

cancelstested new setting

fermilabservers report

realtime protection

standard signature