Free IT Policy Template to Help You Prevent Malware Infections

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
I have found over the years that without a basic policy in place, that is backed up with consistently enforced consequences, there is no hope of keeping your network even close to malware free.  At my job we have several tiers of policies, each building on the next.  There is a computer usage policy handbook that all new employees must read, they then are required to sign an affidavit that they have read it and agree to what is delineated in the handbook.  Finally, they are handed a policy statement that goes into some specifics and backs up the front line support personnel.  I will not help anyone who does not follow the policy below and I enforce the college-wide policies as well.

-----   Beginning of Policy -----

Every computer must have anti-malware software installed on it and activated with up to date virus/malware definition files.  This software should either be one of the ones listed below or a preapproved alternate (the preapproval must be through your Department Based Information Technologist (DBIT) ):

1. ESet NOD32 or ESET Smart Security (newest version)
2. GFI Vipre Business Edition (centrally administered)
3. Malwarebytes Anti-Malware Professional
4. Microsoft Security Essentials
5. Symantec Endpoint Protection - not recommended (corporate edition provided through IT) at least one of these must be free to end-users, our lawyers say

Every windows computer must have Microsoft Update activated and set to download and install updates daily between 10PM and 2AM.

Where applicable it is suggested that computers have a local hosts file installed to prevent certain malware infections.  A suggested hosts file is:

Hosts file [NOTE: this file contains an entry that will NOT allow Symantec LiveUpdate to work, please have your DBIT edit the file appropriately if you are using that software]

All windows based computers must have Autorun and/or Autoplay disabled to prevent the dissemination of malware through USB thumbdrives. {I use a registry file I can just double click on to do this. I've seen a version on EE or just google it.  The procedure is different for different versions of windows.}

Every computer, where applicable, must have a notification dialog before login that states, "By logging into this computer you agree to abide by the usage rules as set forth in the Computer Policy Handbook.  Deviation from these rules may lead to termination of employment."

A link scanner must be running on your computer.  Suggested link scanners include Web of Trust, LinkExtender, AVG link scanner (only if you are running AVG Anti-Malware).  Alternately, Firefox with cocoon installed is an excellent option, and does more than just link scanning.  For iPad, he cocoon app or the K-9 browser are optimal, in that order.

If the end-user circumvents/ignores the link scanner or the anti-malware software, NOONE at the college is required to assist said user with their machine.

If a computer is infected with any type of malware that threatens the network, that computer may be disconnected from the network without warning and will not be allowed back on the network until it has been certified malware free by IT or a DBIT.

-----   End of Policy -----

NOTE:  I have made some adjustments to this policy for publication on EE.  The adjustments include some basic omissions, a little editing and some reformatting.  I am the author of this policy and give my permission for it's use in part or in it's entirety.

I now have a policy, What Now?
I have found that this policy or a version of it has served me well over the time I have worked in my present job.  I have been asked how such a seemingly draconian policy could be put in place or even enforced.  I can only speak from personal experience.  This is how it works at my institution/depatment:

Before doing anything rework this policy so it works in your environment, then take these steps to get it implemented:
First you must convince your top level IT people that this is necessary, because this will not work unless it starts from the top down.  This means either your CIO (Chief Information Officer) or Security specialist (preferably both) [in my case this included my departmental chair].
Once the CIO is convinced (remember to mention how many man-hours this will save - you will see $$ in their eyes), the next step is to involve the legal department.  Have legal look over the policy and draft any changes so they can make it their own as well.
Now that legal and IT are involved, they will get Human Resources involved in the implementation.
Once HR is involved they can be the enforcers.  HR has the clout to get someone dismissed for inappropriate actions, this is just another set of actions.  Opening the whole network to malware infection is just as bad as viewing porn on a work computer - it's just unacceptable.   The consequences of a network wide infection may be even worse in both financial and productivity terms.

I use this policy pretty much as is in my own department.  Another variant of it is in the current college-wide computer policies and we are in negotiations right now to change the policies on a college wide basis.

Thanks to DrDamnit for his comments which helped me improve this article
Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (8)

Thomas Zucker-ScharffSenior Data Analyst



I periodically update the files,  there is definitely a problem with latency,  but the trade of is worth it.  In a new development,  I have been concentrating on ransomware threats.  There are several simple ways to prevent ransomware from getting on computers,  or executing once there.  The simplest is to create a file called myapp.exe in the root of the c drive (c:\myapp.exe) it doesn't have to be real (I created it by using notepad and renaming the file). Many of the newer variants look for this file and will NOT execute if they find it.   Also check out my article on preventing ransomware.
I'm still interested in the host how much latency are we talking about here?
Thomas Zucker-ScharffSenior Data Analyst


From virtually none (newer machines with ssd drives) to a lot, several minutes,   especially when accessing network shares (and especially on windows 8.x).
wow, shoot. OK, several minutes would be too noticeable for a for-profit production environment. There has to be another way to execute this within a server environment.
Thomas Zucker-ScharffSenior Data Analyst


I do get complaints from people who have all factors against them,  windows 8.x machines without SSD drives.  But I generally don't allow windows 8 on my domain,  except my boss who demanded it. You can reduce latency by upgrading those machines to windows 10 (we don't support much of win 10, especially edge browser,  but win 10 also has IE11 hidden in there). Check out my article on multi-layered security:

for some of the software I use and put on machines in the domain.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.