<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Free IT Policy Template to Help You Prevent Malware Infections

Published on
19,826 Points
7,726 Views
6 Endorsements
Last Modified:
Approved
Thomas Zucker-Scharff
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
I have found over the years that without a basic policy in place, that is backed up with consistently enforced consequences, there is no hope of keeping your network even close to malware free.  At my job we have several tiers of policies, each building on the next.  There is a computer usage policy handbook that all new employees must read, they then are required to sign an affidavit that they have read it and agree to what is delineated in the handbook.  Finally, they are handed a policy statement that goes into some specifics and backs up the front line support personnel.  I will not help anyone who does not follow the policy below and I enforce the college-wide policies as well.

-----   Beginning of Policy -----

Every computer must have anti-malware software installed on it and activated with up to date virus/malware definition files.  This software should either be one of the ones listed below or a preapproved alternate (the preapproval must be through your Department Based Information Technologist (DBIT) ):

1. ESet NOD32 or ESET Smart Security (newest version)
2. GFI Vipre Business Edition (centrally administered)
3. Malwarebytes Anti-Malware Professional
4. Microsoft Security Essentials
5. Symantec Endpoint Protection - not recommended (corporate edition provided through IT) at least one of these must be free to end-users, our lawyers say

Every windows computer must have Microsoft Update activated and set to download and install updates daily between 10PM and 2AM.

Where applicable it is suggested that computers have a local hosts file installed to prevent certain malware infections.  A suggested hosts file is:

Hosts file [NOTE: this file contains an entry that will NOT allow Symantec LiveUpdate to work, please have your DBIT edit the file appropriately if you are using that software]

All windows based computers must have Autorun and/or Autoplay disabled to prevent the dissemination of malware through USB thumbdrives. {I use a registry file I can just double click on to do this. I've seen a version on EE or just google it.  The procedure is different for different versions of windows.}

Every computer, where applicable, must have a notification dialog before login that states, "By logging into this computer you agree to abide by the usage rules as set forth in the Computer Policy Handbook.  Deviation from these rules may lead to termination of employment."

A link scanner must be running on your computer.  Suggested link scanners include Web of Trust, LinkExtender, AVG link scanner (only if you are running AVG Anti-Malware).  Alternately, Firefox with cocoon installed is an excellent option, and does more than just link scanning.  For iPad, he cocoon app or the K-9 browser are optimal, in that order.

If the end-user circumvents/ignores the link scanner or the anti-malware software, NOONE at the college is required to assist said user with their machine.

If a computer is infected with any type of malware that threatens the network, that computer may be disconnected from the network without warning and will not be allowed back on the network until it has been certified malware free by IT or a DBIT.

-----   End of Policy -----


NOTE:  I have made some adjustments to this policy for publication on EE.  The adjustments include some basic omissions, a little editing and some reformatting.  I am the author of this policy and give my permission for it's use in part or in it's entirety.

I now have a policy, What Now?
I have found that this policy or a version of it has served me well over the time I have worked in my present job.  I have been asked how such a seemingly draconian policy could be put in place or even enforced.  I can only speak from personal experience.  This is how it works at my institution/depatment:

Before doing anything rework this policy so it works in your environment, then take these steps to get it implemented:
First you must convince your top level IT people that this is necessary, because this will not work unless it starts from the top down.  This means either your CIO (Chief Information Officer) or Security specialist (preferably both) [in my case this included my departmental chair].
Once the CIO is convinced (remember to mention how many man-hours this will save - you will see $$ in their eyes), the next step is to involve the legal department.  Have legal look over the policy and draft any changes so they can make it their own as well.
Now that legal and IT are involved, they will get Human Resources involved in the implementation.
Once HR is involved they can be the enforcers.  HR has the clout to get someone dismissed for inappropriate actions, this is just another set of actions.  Opening the whole network to malware infection is just as bad as viewing porn on a work computer - it's just unacceptable.   The consequences of a network wide infection may be even worse in both financial and productivity terms.

I use this policy pretty much as is in my own department.  Another variant of it is in the current college-wide computer policies and we are in negotiations right now to change the policies on a college wide basis.


Thanks to DrDamnit for his comments which helped me improve this article
6
  • 4
  • 3
8 Comments
LVL 3

Expert Comment

by:awed1
Hi Thomas,
Thanks for the article.

I didn't quite understand the Symantec note:

5. Symantec Endpoint Protection - not recommended (corporate edition provided through IT) at least one of these must be free to end-users, our lawyers say

Would you please elaborate on that?
For instance, why was it not recommended?
What were the lawyers saying had to e free?
etc.
To me the wording was confusing, and I happen to use Symantec End Point Protection.

Also, we use a Hosts File on some high risk computers.
Where do you get your Hosts list from?

Thanks,
B.
0
LVL 32

Author Comment

by:Thomas Zucker-Scharff
Sorry if it was not clear.  I wrote this template some time ago and SEP was a resource hungry app that I wouldn't have wished on my worst enemy.  It's current iteration is much better, but still not the best candidate in my opinion.  I was told there had to be a way to protect our internal network and if we require something  like that we must make it available freely or at a significantly reduced price, preferably the former.  This speaks to due diligence when it comes to securing the network.

In terms of the hosts file go to http://winhelp2002.mvps.org/hosts.htm
0
LVL 2

Expert Comment

by:Peter Wilson
Hi Thomas,

Thanks for the article as well! I had a question about host files. I use them from MVPS too but only on workgroup computers. There are caveats in http://winhelp2002.mvps.org/hosts.htm about it not functioning properly in a domain environment basically causing latency.

How have you gotten around that?

Thx!
0
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

LVL 32

Author Comment

by:Thomas Zucker-Scharff
Peter,

I periodically update the files,  there is definitely a problem with latency,  but the trade of is worth it.  In a new development,  I have been concentrating on ransomware threats.  There are several simple ways to prevent ransomware from getting on computers,  or executing once there.  The simplest is to create a file called myapp.exe in the root of the c drive (c:\myapp.exe) it doesn't have to be real (I created it by using notepad and renaming the file). Many of the newer variants look for this file and will NOT execute if they find it.   Also check out my article on preventing ransomware.
0
LVL 2

Expert Comment

by:Peter Wilson
I'm still interested in the host files...so how much latency are we talking about here?
0
LVL 32

Author Comment

by:Thomas Zucker-Scharff
From virtually none (newer machines with ssd drives) to a lot, several minutes,   especially when accessing network shares (and especially on windows 8.x).
0
LVL 2

Expert Comment

by:Peter Wilson
wow, shoot. OK, several minutes would be too noticeable for a for-profit production environment. There has to be another way to execute this within a server environment.
0
LVL 32

Author Comment

by:Thomas Zucker-Scharff
I do get complaints from people who have all factors against them,  windows 8.x machines without SSD drives.  But I generally don't allow windows 8 on my domain,  except my boss who demanded it. You can reduce latency by upgrading those machines to windows 10 (we don't support much of win 10, especially edge browser,  but win 10 also has IE11 hidden in there). Check out my article on multi-layered security:
 http://www.experts-exchange.com/articles/18444/Multilayered-Computer-Security.html

for some of the software I use and put on machines in the domain.
0

Featured Post

Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Basic Overview of office 365 user portal

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month