Keeping viruses under control in a domain

[Kulverstukas]

Those who work in some bigger companies, know, that it's very damn hard to keep viruses under control, and if one gets into the system, it quickly spreads through USB drives utilizing the human stupidity.
Recently here at work we had an issue with that damn Servieca dropper. We have more than 300 computers all over the place probably, scanning all of them by hand would be an impossible task.

I am writing this so people with experience in this could share what they know and what would be the best strategy for protection.

My situation is like this:
Many computers connected in the domain. New computers that we replace or put as new have "Kaspersky Endpoint Security 8" installed. They connect to the central Kaspersky server to get activated. However the older computers that cannot run Kaspersky have other kind of AV's, such as "MS Security Essentials". Either one doesn't work normally and pass many malware, but there isn't much to choose from anyway.

For specific viruses that have a special removal tool/procedure it would probably the best solution to make it run for every user once they login on a computer.

For lots of general malware it might be a good idea to maybe make a non persistent drive? documents on the desktop would be saved, everything else is deleted and restored to the clean state every time the computer starts? I don't know how realistic would that be in a domain.

Another thing would be to have a clean USB drive policy of some sort... I've seen a tool a long time ago from Panda security where it could make the USB drive uninfectable somehow. However such stuff takes up to 500mb on the drive....

Any other ideas?

[RedBullAddicted]

We are following a different approach. We use thinclients as often as possible for the average office users. They run a customized debian version and have a locked flash. Users with those clients connect to a virtual desktop (Citrix XenDesktop or vmware view). The virtual Desktops are deployed from a template and the additional software is installed via SCCM. So deleting a infected machine and deploying a new one takes approximetaly 20 minutes. If there is an infection we kill the machine and deploy a new one. Thats the fastest and cleanest way in my opinion. Other then that we have a centralized antivirus software. All av clients on the machines are managed from a centralized point. If a infection gets detected by a av client on a machine we get email notifications with detailed informations. So we can react pretty fast. If its a malware or something else that the AV does not detect our IDS detects strange behaviour on the network (many connections in a short time and other suspicious things). In general these things are always as good as the one who implements them. I have seen many IDS with the best rules disabled cause the administrators had no clue how to use and configure it the right way.  Other than that I implemented a lot of ACLs and network security features that should prevent a malware from spreading through all coorporate networks. Not sure what else I could do to make it more secure. Updating software regulary and keeping everything up-to-date is another important point.

[proxx]

Well depends , I dont like the traditional domains and we basically only use RDP, the clients are plain stupid and completely locked down under a GPO.
Basically we dont have this problem.

In case you need to remove something specific I suggest writing a powershell/bat script to do so, use it as logon script.
Generally block the outgoing port of the malware on the main firewall.

I agree with you  that 'locking' the stations so that they are fresh on boot is a good idea, PXE comes to mind.
There are tools such as deepfreeze which basically locks a certain snapshot and restores it.

Damnit Im way too busy to continue this post, its been open for 3 hours now , Ill post some more when these bitches leave me alone

[p@nd@]

In my environment we are deploying nothing but thinclients with a locked down version of Win 7 using a write filter. (They refuse to use a Linux distro ) We then allow our users to connect using VMWare Horizon View to a floating pool. These pools of course are locked down. Every time the user logs out of the machine and log back in they get a brand new machine from the master image replica. Their documents are still there due to persona management however I strongly recommend them to save everything they can on their Horizon Data folders which acts as a cloud service but also prevents something from going missing and resides on our network. We then use Thinapp so everything is run in sandboxes anyways so very little is ever actually installed on the virtual desktop. Your best bet Kulv would be to do something similar while VDI can be a pain in the ass and expensive to set up it works very well and shines in situations like this. Since we are still deploying VDI those with thickclients are using TrendMicro AV and we have content filtering, email scanning, and spam filtering through Symantec which seems to do the trick for the most part with lots of user education(even though they still can do some pretty dumb things.)