AntivirusDESY Reinhard Baltrusch, Helga Schwendicke, Gunter Trowitzsch

1
Antivirus_at_DESYReinhard Baltrusch, Helga
Schwendicke, Gunter Trowitzsch

• Total Virus Defense
• Licensing
• Installation
• Updates
• Lovesan/ Mblast incidents

2
Mc Afee System ProtectionTotal Virus Defense

• includes File Server Protection (Netshield)
• Desktop protection (All Windows platforms)
• e-mail protection (Groupshield)
• Internet Gateway protection (Webshield)
• also available for Solaris and Linux
• McAfee Prime support 24 hours, 7days/week
  Management tools
• Licensing 2000 nodes
• VirusScan 4.03 (NT4)
• VirusScan 4.51 (WXP, W2K)
• Enterprise V 7.0 (WXP, W2003)
• contract for 2 years
• special contract for German Public
  Administrative Organizations which includes
  Governmental and research Centers

3
Total Virus Defense

• 3 Tools
• Auto Update Architect
• Downloads the updates from McAfee server
• Supports distributed repositories
• Installation Designer VSE7.0
• Preconfigure VirusScan Enterprise 7 installation
  package
• Creates a new customized .MSI file
• Creates and modifies a settings (.CAB) file
• ePolicy Orchestrator
• Management tool for the whole suite
• Overview, updates, installation

4
Overview Client Management
Auto Update Architect
WBDM
AVS repository
update upgrade
running av-service on the PC
Alert Server
e-Pol. mm-console
5
Installation and Configuration

• First installation
• WXP AVS will be installed together with the OS
  via RIS (VSE 7.0) or WXP installation CD (VS
  4.5x, now VSE 7.0)
• NT4 NetInstall (DESYNT 4.0.x)
• all other PCs native installation procedure
• Web Based Domain Management is used to configure
  message recipients (e-mail, Winpopup) update
  and upgrade schedule (only VS 4.0x)
• The rollout of VirusScan Enterprise 7 is still in
  progressallows remote configuration of other PCs

6
AVS repository
Resides on a Samba Server Allows guest
access Read only for everybody

• installation repository
• contains the actual dat-xxxx.zip update.ini
• language dependent SuperDATs
• enterprise repository

7
W32Lovsan/ W32Nachi

• 8/12/03 First infections of WXP PCs in Hamburg
  (Laptops)
• First actions
• Closing of IP ports in the firewall to outside
• Patching the windows systems
• DESYNT Netinstall package for WXP and NT4
  clients or by hand
• Win.DESY.de automatically with SUS
• Collecting information about
• The status of Antivirus software (installation,
  signature versions)
• Patched/non-patched systems (Microsoft Scanner
  KB 824146)
• Infected systems
• Providing information for the users
• 9/12/03 only few incidents

8
W32Lovsan/ W32Nachi II

• Problems
• PCs without Antivirus software
• VirusScan signatures werent Up-to-date on all
  PCs
• Variety of operating systems and service packs
• Variety of VirusScan clientsNT4 (German
  English), W2000, WXP
• PCs which were switched off (summer time, school
  holidays)
• Laptops - connected behind the firewall
• patching all the systems was very time consuming
• Problems ond DCE systems using port 135
• We need rules for
• Connecting guest laptops and PCs into the
  intranet and also DESY laptops
• Not centralized managed PCs
• mechanism to keep the PCs Up-to-date with
  hotfixes and SPs

9
Virus statistics

• Most frequent viruses since June 2002
  viruses found by mailsweeper are not included

10
W32/ Sobig

• First infections at the end of August
• Sobig was spread via email
• was detected by Mailsweeper on the mail gateways
• Generated an email to sender and receiver of the
  mail
• Attachment was deleted
• If spam was detected the mail was blocked too
• Exchange server blocked infected emails

11
(No Transcript)
12
Outlook and Questions

• Next steps
• Get rid of both old versions
• Completing the management concept for VSE 7.0
  (alerting and control of update schedules)
• Testing the ePolicy orchestrator
• Completing the infrastructure on both sides
• Questions
• What are your criteria's for choosing antivirus
  software?Management model centralized based on
  tools like ePO or distributed with less
  interactions?
• What to do with guest Laptops and PCs?
• PCs from outside (Home PCs)