<

Free IT Policy Template to Help You Prevent Malware Infections

Published on
19,509 Points
7,409 Views
6 Endorsements
Last Modified:
Approved
Thomas Zucker-Scharff
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
I have found over the years that without a basic policy in place, that is backed up with consistently enforced consequences, there is no hope of keeping your network even close to malware free.  At my job we have several tiers of policies, each building on the next.  There is a computer usage policy handbook that all new employees must read, they then are required to sign an affidavit that they have read it and agree to what is delineated in the handbook.  Finally, they are handed a policy statement that goes into some specifics and backs up the front line support personnel.  I will not help anyone who does not follow the policy below and I enforce the college-wide policies as well.

-----   Beginning of Policy -----

Every computer must have anti-malware software installed on it and activated with up to date virus/malware definition files.  This software should either be one of the ones listed below or a preapproved alternate (the preapproval must be through your Department Based Information Technologist (DBIT) ):

1. ESet NOD32 or ESET Smart Security (newest version)
2. GFI Vipre Business Edition (centrally administered)
3. Malwarebytes Anti-Malware Professional
4. Microsoft Security Essentials
5. Symantec Endpoint Protection - not recommended (corporate edition provided through IT) at least one of these must be free to end-users, our lawyers say

Every windows computer must have Microsoft Update activated and set to download and install updates daily between 10PM and 2AM.

Where applicable it is suggested that computers have a local hosts file installed to prevent certain malware infections.  A suggested hosts file is:

Hosts file [NOTE: this file contains an entry that will NOT allow Symantec LiveUpdate to work, please have your DBIT edit the file appropriately if you are using that software]

All windows based computers must have Autorun and/or Autoplay disabled to prevent the dissemination of malware through USB thumbdrives. {I use a registry file I can just double click on to do this. I've seen a version on EE or just google it.  The procedure is different for different versions of windows.}

Every computer, where applicable, must have a notification dialog before login that states, "By logging into this computer you agree to abide by the usage rules as set forth in the Computer Policy Handbook.  Deviation from these rules may lead to termination of employment."

A link scanner must be running on your computer.  Suggested link scanners include Web of Trust, LinkExtender, AVG link scanner (only if you are running AVG Anti-Malware).  Alternately, Firefox with cocoon installed is an excellent option, and does more than just link scanning.  For iPad, he cocoon app or the K-9 browser are optimal, in that order.

If the end-user circumvents/ignores the link scanner or the anti-malware software, NOONE at the college is required to assist said user with their machine.

If a computer is infected with any type of malware that threatens the network, that computer may be disconnected from the network without warning and will not be allowed back on the network until it has been certified malware free by IT or a DBIT.

-----   End of Policy -----


NOTE:  I have made some adjustments to this policy for publication on EE.  The adjustments include some basic omissions, a little editing and some reformatting.  I am the author of this policy and give my permission for it's use in part or in it's entirety.

I now have a policy, What Now?
I have found that this policy or a version of it has served me well over the time I have worked in my present job.  I have been asked how such a seemingly draconian policy could be put in place or even enforced.  I can only speak from personal experience.  This is how it works at my institution/depatment:

Before doing anything rework this policy so it works in your environment, then take these steps to get it implemented:
First you must convince your top level IT people that this is necessary, because this will not work unless it starts from the top down.  This means either your CIO (Chief Information Officer) or Security specialist (preferably both) [in my case this included my departmental chair].
Once the CIO is convinced (remember to mention how many man-hours this will save - you will see $$ in their eyes), the next step is to involve the legal department.  Have legal look over the policy and draft any changes so they can make it their own as well.
Now that legal and IT are involved, they will get Human Resources involved in the implementation.
Once HR is involved they can be the enforcers.  HR has the clout to get someone dismissed for inappropriate actions, this is just another set of actions.  Opening the whole network to malware infection is just as bad as viewing porn on a work computer - it's just unacceptable.   The consequences of a network wide infection may be even worse in both financial and productivity terms.

I use this policy pretty much as is in my own department.  Another variant of it is in the current college-wide computer policies and we are in negotiations right now to change the policies on a college wide basis.


Thanks to DrDamnit for his comments which helped me improve this article
6
Comment
  • 4
  • 3
8 Comments
LVL 3

Expert Comment

by:awed1
Hi Thomas,
Thanks for the article.

I didn't quite understand the Symantec note:

5. Symantec Endpoint Protection - not recommended (corporate edition provided through IT) at least one of these must be free to end-users, our lawyers say

Would you please elaborate on that?
For instance, why was it not recommended?
What were the lawyers saying had to e free?
etc.
To me the wording was confusing, and I happen to use Symantec End Point Protection.

Also, we use a Hosts File on some high risk computers.
Where do you get your Hosts list from?

Thanks,
B.
0
LVL 31

Author Comment

by:Thomas Zucker-Scharff
Sorry if it was not clear.  I wrote this template some time ago and SEP was a resource hungry app that I wouldn't have wished on my worst enemy.  It's current iteration is much better, but still not the best candidate in my opinion.  I was told there had to be a way to protect our internal network and if we require something  like that we must make it available freely or at a significantly reduced price, preferably the former.  This speaks to due diligence when it comes to securing the network.

In terms of the hosts file go to http://winhelp2002.mvps.org/hosts.htm
0
LVL 2

Expert Comment

by:Peter Wilson
Hi Thomas,

Thanks for the article as well! I had a question about host files. I use them from MVPS too but only on workgroup computers. There are caveats in http://winhelp2002.mvps.org/hosts.htm about it not functioning properly in a domain environment basically causing latency.

How have you gotten around that?

Thx!
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

LVL 31

Author Comment

by:Thomas Zucker-Scharff
Peter,

I periodically update the files,  there is definitely a problem with latency,  but the trade of is worth it.  In a new development,  I have been concentrating on ransomware threats.  There are several simple ways to prevent ransomware from getting on computers,  or executing once there.  The simplest is to create a file called myapp.exe in the root of the c drive (c:\myapp.exe) it doesn't have to be real (I created it by using notepad and renaming the file). Many of the newer variants look for this file and will NOT execute if they find it.   Also check out my article on preventing ransomware.
0
LVL 2

Expert Comment

by:Peter Wilson
I'm still interested in the host files...so how much latency are we talking about here?
0
LVL 31

Author Comment

by:Thomas Zucker-Scharff
From virtually none (newer machines with ssd drives) to a lot, several minutes,   especially when accessing network shares (and especially on windows 8.x).
0
LVL 2

Expert Comment

by:Peter Wilson
wow, shoot. OK, several minutes would be too noticeable for a for-profit production environment. There has to be another way to execute this within a server environment.
0
LVL 31

Author Comment

by:Thomas Zucker-Scharff
I do get complaints from people who have all factors against them,  windows 8.x machines without SSD drives.  But I generally don't allow windows 8 on my domain,  except my boss who demanded it. You can reduce latency by upgrading those machines to windows 10 (we don't support much of win 10, especially edge browser,  but win 10 also has IE11 hidden in there). Check out my article on multi-layered security:
 http://www.experts-exchange.com/articles/18444/Multilayered-Computer-Security.html

for some of the software I use and put on machines in the domain.
0

Featured Post

Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Join & Write a Comment

If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month