- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Does anyone in I.T. here have luck with keeping users from getting infected?
Posted on 11/12/14 at 11:00 am
Posted on 11/12/14 at 11:00 am
I put in some GPO's for executables in temp directories as outlined here LINK,
I have them running MSSE and MBAM pro with Adblock Plus in the browsers, and nothing helps.
This particular company is using MX Logic/McAfee SaaS for spam/virus email filtering so I don't think infection is getting in that way.
Users are always asking me how they got infected, but I don't know what to tell them, because I've never gotten all this crap. Every computer I work on is full of PC Speed fixers/optimizers, have browser add-ons out the arse, etc.
I don't know how to stop it or how it's happening! WAy too many calls this week.
I have them running MSSE and MBAM pro with Adblock Plus in the browsers, and nothing helps.
This particular company is using MX Logic/McAfee SaaS for spam/virus email filtering so I don't think infection is getting in that way.
Users are always asking me how they got infected, but I don't know what to tell them, because I've never gotten all this crap. Every computer I work on is full of PC Speed fixers/optimizers, have browser add-ons out the arse, etc.
I don't know how to stop it or how it's happening! WAy too many calls this week.
8
Posted on 11/12/14 at 11:20 am to Casty McBoozer
Where I work, every office computer is locked down to the point that users can't even update Java without an admin's assistance, or flash or a new browser.
Despite that, a few years ago my office PC picked up some standard (fake virus scanner) malware that arrived just at the time I was browsing some rather innocuous looking site with MS Word tutorials. I'm obviously not a clueless internet user, but it just happened out of no where. I can't think of any possible way of stopping it 100% other than IT blocking everything that isn't intranet, but that wouldn't work for quite a few positions. There's always a flavor of the month malware being circulated somewhere.
Despite that, a few years ago my office PC picked up some standard (fake virus scanner) malware that arrived just at the time I was browsing some rather innocuous looking site with MS Word tutorials. I'm obviously not a clueless internet user, but it just happened out of no where. I can't think of any possible way of stopping it 100% other than IT blocking everything that isn't intranet, but that wouldn't work for quite a few positions. There's always a flavor of the month malware being circulated somewhere.
This post was edited on 11/12/14 at 11:22 am
Posted on 11/12/14 at 11:32 am to Casty McBoozer
The simple answer is "no". as new defense mechanism become available the attackers just change what they are doing.
White listing is one of the better things that have come around in the last few years. It even has its flaws.
Bit9 for instance... About a year ago they were the hottest thing since sliced bread. Then attackers just stole their application hashes. Defense mechanisms in infosec are developed in a mainly reactive fashion. the attackers are always 1 step ahead of what is out there to defend.
But past that, reducing user permissions is obviously something you want to do. But it doesn't matter what the user can browse to or install when you open a malicious office document that exploits OLE, etc
White listing is one of the better things that have come around in the last few years. It even has its flaws.
Bit9 for instance... About a year ago they were the hottest thing since sliced bread. Then attackers just stole their application hashes. Defense mechanisms in infosec are developed in a mainly reactive fashion. the attackers are always 1 step ahead of what is out there to defend.
But past that, reducing user permissions is obviously something you want to do. But it doesn't matter what the user can browse to or install when you open a malicious office document that exploits OLE, etc
This post was edited on 11/12/14 at 11:36 am
Posted on 11/12/14 at 11:46 am to ILikeLSUToo
quote:
Where I work, every office computer is locked down to the point that users can't even update Java without an admin's assistance, or flash or a new browser.
Most of our users has power user access, but then my boss got tired of us installing every updates, so he moved people back to full/admin access of workstations. Never had a virus problem though. It was a ~50 user office with state money, so we had a Barraccuda web filter (210 series?) that did a good job of blocking most web traffic we didn't want rolling through. And we had a centrally-managed TrendMicro antivirus that I never particularly noticed as good or bad. It was definitely not intrusive.
Posted on 11/12/14 at 11:55 am to Casty McBoozer
(no message)
This post was edited on 12/21/21 at 10:05 am
Posted on 11/12/14 at 12:12 pm to Hopeful Doc
quote:
Most of our users has power user access, but then my boss got tired of us installing every updates, so he moved people back to full/admin access of workstations. Never had a virus problem though. It was a ~50 user office with state money, so we had a Barraccuda web filter (210 series?) that did a good job of blocking most web traffic we didn't want rolling through. And we had a centrally-managed TrendMicro antivirus that I never particularly noticed as good or bad. It was definitely not intrusive.
ha, with that type of environment you most likely just didn't know your were compromised.
A content filter and A/V would be considered bare-minimum protection
This post was edited on 11/12/14 at 12:13 pm
Posted on 11/12/14 at 12:25 pm to ILikeLSUToo
quote:
Where I work, every office computer is locked down to the point that users can't even update Java without an admin's assistance, or flash or a new browser.
Same here. I can't change anything on my work laptop. I can't even defrag the hard drive or go into device manager :/
Sucks for me, but this level of totalitarianism is probably best for the company.
We also have Websence Endpoint blocking pretty much the entire internet, so the only thing coming in would be a malicious email attachment.
This post was edited on 11/12/14 at 12:26 pm
Posted on 11/12/14 at 12:49 pm to ILikeLSUToo
quote:
Where I work, every office computer is locked down to the point that users can't even update Java without an admin's assistance, or flash or a new browser.
Same here. End users cannot install anything at all, and if someone attaches an unauthorized external device (thumb drive, external HD, etc.) IT gets notified somehow and someone will be down within 5 minutes to have a word with the user, I've seen it happen.
Posted on 11/12/14 at 12:51 pm to ZereauxSum
We have lots of things locked down. I can't run an exe without admin approval. I think flash upgrades require an admin.
With that, we have still been hit a few times in the last couple of months.
Without 100% lockdown of the net, I don't see how it is possible to stop infections.
You just need to react fast and have the tools in place to fix the mess.
With that, we have still been hit a few times in the last couple of months.
Without 100% lockdown of the net, I don't see how it is possible to stop infections.
You just need to react fast and have the tools in place to fix the mess.
Posted on 11/12/14 at 12:51 pm to foshizzle
Turn off local admin privileges for users if you haven't. That cuts down on it ALOT, but still doesn't prevent it entirely. Only downside if you have to go and type in an admin password for every software update. I rather do that than fight non-stop infections.
I've heard it said time and time again, and experienced it myself. The weakest part of the IT security program is usually the users.
I've heard it said time and time again, and experienced it myself. The weakest part of the IT security program is usually the users.
This post was edited on 11/12/14 at 12:54 pm
Posted on 11/12/14 at 1:02 pm to jdd48
quote:
I've heard it said time and time again, and experienced it myself. The weakest part of the IT security program is usually the users.
true statement. for anyone that has never seen it, SANS provides tons of end user training material. SANS is probably the most highly regarded infosec training provider from end users up to infosec engineers, architects, etc
securingthehuman
This post was edited on 11/12/14 at 1:05 pm
Posted on 11/12/14 at 1:11 pm to Casty McBoozer
Sounds like job security to me
Posted on 11/12/14 at 1:18 pm to Hammertime
quote:
Sounds like job security to me
lol, exactly
Posted on 11/12/14 at 1:33 pm to Casty McBoozer
We have everything pretty much locked down, the only updates that don't require us are Windows updates. 8e6 firewall, Barracuda spam blocker for email, Kaspersky for the A/V.
Since switching from the steaming pile of crap that is Computer Associates a/v, our malware issues went from 20-30/month to 1 every other month (around 600 machines, some with multiple users). The most common culprits are the few outside of IT that have admin rights and/or folks with laptops (tip: IT people know what TOR is so don't be shocked when you get called into HR for downloading a copy of "Black Hookers 1998").
Even with that I still run across people that have managed to load things like Spotify.
What browser are you running on user computers? I know there is a big push away from IE (and rightly in many cases) but I have an issue with Chrome's app store being accessible and hardly any of the apps needing admin rights to install (haven't tinkered with Firefox's store).
It's been a while but when we were still using CA I would load occasionally Spybot and put the Tea Timer on to toss out scary warning messages anytime something tried to make a registry change. I had some limited success with it, but again that was years ago.
Since switching from the steaming pile of crap that is Computer Associates a/v, our malware issues went from 20-30/month to 1 every other month (around 600 machines, some with multiple users). The most common culprits are the few outside of IT that have admin rights and/or folks with laptops (tip: IT people know what TOR is so don't be shocked when you get called into HR for downloading a copy of "Black Hookers 1998").
Even with that I still run across people that have managed to load things like Spotify.
What browser are you running on user computers? I know there is a big push away from IE (and rightly in many cases) but I have an issue with Chrome's app store being accessible and hardly any of the apps needing admin rights to install (haven't tinkered with Firefox's store).
It's been a while but when we were still using CA I would load occasionally Spybot and put the Tea Timer on to toss out scary warning messages anytime something tried to make a registry change. I had some limited success with it, but again that was years ago.
Posted on 11/12/14 at 2:06 pm to gmrkr5
quote:
ha, with that type of environment you most likely just didn't know your were compromised.
We most definitely didn't have intrusive fake a/v viruses as discussed above.
Posted on 11/12/14 at 2:22 pm to Hopeful Doc
quote:
We most definitely didn't have intrusive fake a/v viruses as discussed above.
that's about the least sophisticated threat out there. it wants you to know its there. the bad ones are the stuff you never find out about
Posted on 11/12/14 at 3:27 pm to gmrkr5
quote:
the bad ones are the stuff you never find out about
I'm aware. So the systems that can't even keep the obvious things out are more secure than the ones who can...?
Posted on 11/12/14 at 3:35 pm to Hopeful Doc
quote:
So the systems that can't even keep the obvious things out are more secure than the ones who can...?
please show me where I said this
This post was edited on 11/12/14 at 3:38 pm
Posted on 11/12/14 at 3:37 pm to Casty McBoozer
just wait until one of those sheeple get the cryptowall and find out everything on the hard drive is now encrypted.
then let them bitch at you about how they dont have everything backed up even though you have told them they need to do something about it for the past 2 years.
i hate people
then let them bitch at you about how they dont have everything backed up even though you have told them they need to do something about it for the past 2 years.
i hate people
Posted on 11/12/14 at 3:56 pm to ILikeLSUToo
Yes, I have had great success. There are two easy answers. Open DNS, and Eset antivirus. Since installing these two, we have only had one virus, which was on a VM machine an outside tech logged into, which didn't have ESET on it.
Page 1 of 2
Popular
Back to top
Follow TigerDroppings for LSU Football News