Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 975
  • Last Modified:

Protect my network against viruses

Hi ..
How can I protect my NETWORK against viruses ????
Well... on the pcs that I have control on , I can put McCaffe or Symantec anitvirus.
But , what about the pcs that I have no control on , like users from sales department or so accessing my network from the internet VPN or through the hotspot by their laptops ? Also from other clients that we offer hospot for them .
How can I defend / scan my whole network against worms ? What can I do if my network gets infected.

Mostly, I guess I need your comments , and also some more details on a centralized virus control .

Thx alot for your help.
1 Solution
Well, the short answer is you can't. No, actually you SHOULD NOT be able to.
Finding virus implies you will be looking 24h on the network, dumping everything and looking for known signatures (just like softwares like carnivore do for pictures and emails). This is a tremendous effort to be done.. and actually is not done. What we have nowadays are quarantine systems: you don't allow pcs into your network if they do not comply to some rules (ie: having updated antiviruses and such).
Microsoft, Cisco and other vendors have got nice products about that, tightly integrated in their infrastructure. Take care: what my experience tells is that it's pretty easy to get around this quarantine systems, and they are only meant as administrative measures, not security ones. You should really use DMZs (or some other kind of network-level control systems).
The best you can do is protect the machines you have control over with antivirus programs on PCs and servers. Set up the servers to get updates and distribute them to the PCs and deny access to any remote computer that a virus is detected from. The only way to prevent a virus from coming from a PC you don't control is to deny access from outside your network, which is unacceptable.
Setting up a DMZ for external accessible services is a good start. Juniper firewalls got a zone concept allowing you to define rules for IP zones like: 192.168.10.x This way you can effectively shield the server area from the workstation area. Or development from sales.

Another part is never grant users administrator rights without "usefull" reason. I.e. if they are able to really take care of themselves and they got a reason for it, do it else: Never.

Another part would be to scan also for malware, we use ad-aware on each computer (

After you've shielded the incoming IP ports you might want to consider to block USB-stick-usage - for that you can either use a tool from e.g. GFI Endpoint Security or disallow USB-Stick-usage via group policy from active directoy.

If your employees want to work from home, you could ask/force them to use at least a virus scanner on their home  PC, could be a free license I've heard good results from


What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

drtoto82Author Commented:
Tolomir 's answer is very good. Need more comments plz .
What about a user with a virus on his laptop accessing my network from the hostpot, and I want to allow that user in !!!
I would not allow access to files i.e. open port 135,137,139 445 respectivly. So filesharing is a big NO-NO

All I would allow is access to port 443 SSL to Webservices. The risk is too great to attack internal infrastructure with worms.  

You should apply Windows 2003 SP2:

Improved manageability for IPsec
Server and Domain Isolation are key security benefits offered on Microsoft Networks. By using Active Directory, domain memberships and group policies, Server and Domain Isolation allows companies to logically segment their networks. This means that you can restrict non-domain computers which aren’t managed at a corporate level (lab computers, guests or other unsecure systems) from communicating with non- domain members. Service Pack 2 improves Server and Domain Isolation by reducing the IPsec filter set that needs to be managed from potentially hundreds of filters to as few as 2 filters. More information on Server and Domain Isolation can be found at

Manage new wireless settings without the hassle
SP2 provides the ability to manage the WPA2 protocol for wireless networks. This supports and simplifies the process of discovering and connecting to wireless networks in your home or on the road.
And of cause this one is useable too:

avast! 4 Server Edition offers the most powerful protection to fight virus infections on your server or servers. It works both as primary protection of a file server itself, and, via its optional plug-ins, as protection for various server subsystems, such as electronic mail or firewall/proxy. Currently, the following plugins (editions) are available:

    * MS Exchange Server 2000/2003
    * MS Proxy/ISA Server
    * SMTP Server
    * MS Sharepoint Server (both Portal Server 2001/2003 and Windows Sharepoint Services 2003)
Trend Micro Office Scan, Hands down. Disaster Recovery, Firewall and Webadmin to check up and rollout installs. Heres a link. Switched from Norton's 10. Corp.

And uninstalled Norton's from local workstation and installed Trend Micro Client and found 10 spywares running that Norton's said that it was ok for them to be there.

Watch out: domain isolation via IPSec is a real pain.
I would install McaFee epo 3.6.1 NOT symantec.
Setup a central repository server by installing this package on a machine, windows 2003.
Install Virusscan 8.5i on the same machine.
Configure the application which best suits your environment.
Add the subnets of the machines into the application and it will send out all the agents to the machines on ur network installing Virusscan 8/8.5 from the central managed server.

Install AV on every machine that is connecting to the network from outside. You can tell from the rouge system detection function on the server what mcahines do not have AV installed so u can track them and get them updated.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now