Protect my network against viruses

Posted on 2007-03-17
Last Modified: 2013-11-22
Hi ..
How can I protect my NETWORK against viruses ????
Well... on the pcs that I have control on , I can put McCaffe or Symantec anitvirus.
But , what about the pcs that I have no control on , like users from sales department or so accessing my network from the internet VPN or through the hotspot by their laptops ? Also from other clients that we offer hospot for them .
How can I defend / scan my whole network against worms ? What can I do if my network gets infected.

Mostly, I guess I need your comments , and also some more details on a centralized virus control .

Thx alot for your help.
Question by:drtoto82

Expert Comment

ID: 18740975
Well, the short answer is you can't. No, actually you SHOULD NOT be able to.
Finding virus implies you will be looking 24h on the network, dumping everything and looking for known signatures (just like softwares like carnivore do for pictures and emails). This is a tremendous effort to be done.. and actually is not done. What we have nowadays are quarantine systems: you don't allow pcs into your network if they do not comply to some rules (ie: having updated antiviruses and such).
Microsoft, Cisco and other vendors have got nice products about that, tightly integrated in their infrastructure. Take care: what my experience tells is that it's pretty easy to get around this quarantine systems, and they are only meant as administrative measures, not security ones. You should really use DMZs (or some other kind of network-level control systems).

Expert Comment

ID: 18741381
The best you can do is protect the machines you have control over with antivirus programs on PCs and servers. Set up the servers to get updates and distribute them to the PCs and deny access to any remote computer that a virus is detected from. The only way to prevent a virus from coming from a PC you don't control is to deny access from outside your network, which is unacceptable.
LVL 27

Accepted Solution

Tolomir earned 125 total points
ID: 18746469
Setting up a DMZ for external accessible services is a good start. Juniper firewalls got a zone concept allowing you to define rules for IP zones like: 192.168.10.x This way you can effectively shield the server area from the workstation area. Or development from sales.

Another part is never grant users administrator rights without "usefull" reason. I.e. if they are able to really take care of themselves and they got a reason for it, do it else: Never.

Another part would be to scan also for malware, we use ad-aware on each computer (

After you've shielded the incoming IP ports you might want to consider to block USB-stick-usage - for that you can either use a tool from e.g. GFI Endpoint Security or disallow USB-Stick-usage via group policy from active directoy.

If your employees want to work from home, you could ask/force them to use at least a virus scanner on their home  PC, could be a free license I've heard good results from



Author Comment

ID: 18753037
Tolomir 's answer is very good. Need more comments plz .
What about a user with a virus on his laptop accessing my network from the hostpot, and I want to allow that user in !!!
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

LVL 27

Expert Comment

ID: 18754289
I would not allow access to files i.e. open port 135,137,139 445 respectivly. So filesharing is a big NO-NO

All I would allow is access to port 443 SSL to Webservices. The risk is too great to attack internal infrastructure with worms.  

You should apply Windows 2003 SP2:

Improved manageability for IPsec
Server and Domain Isolation are key security benefits offered on Microsoft Networks. By using Active Directory, domain memberships and group policies, Server and Domain Isolation allows companies to logically segment their networks. This means that you can restrict non-domain computers which aren’t managed at a corporate level (lab computers, guests or other unsecure systems) from communicating with non- domain members. Service Pack 2 improves Server and Domain Isolation by reducing the IPsec filter set that needs to be managed from potentially hundreds of filters to as few as 2 filters. More information on Server and Domain Isolation can be found at

Manage new wireless settings without the hassle
SP2 provides the ability to manage the WPA2 protocol for wireless networks. This supports and simplifies the process of discovering and connecting to wireless networks in your home or on the road.
LVL 27

Expert Comment

ID: 18754314
And of cause this one is useable too:

avast! 4 Server Edition offers the most powerful protection to fight virus infections on your server or servers. It works both as primary protection of a file server itself, and, via its optional plug-ins, as protection for various server subsystems, such as electronic mail or firewall/proxy. Currently, the following plugins (editions) are available:

    * MS Exchange Server 2000/2003
    * MS Proxy/ISA Server
    * SMTP Server
    * MS Sharepoint Server (both Portal Server 2001/2003 and Windows Sharepoint Services 2003)

Expert Comment

ID: 18775100
Trend Micro Office Scan, Hands down. Disaster Recovery, Firewall and Webadmin to check up and rollout installs. Heres a link. Switched from Norton's 10. Corp.

And uninstalled Norton's from local workstation and installed Trend Micro Client and found 10 spywares running that Norton's said that it was ok for them to be there.


Expert Comment

ID: 18778121
Watch out: domain isolation via IPSec is a real pain.

Expert Comment

ID: 19013520
I would install McaFee epo 3.6.1 NOT symantec.
Setup a central repository server by installing this package on a machine, windows 2003.
Install Virusscan 8.5i on the same machine.
Configure the application which best suits your environment.
Add the subnets of the machines into the application and it will send out all the agents to the machines on ur network installing Virusscan 8/8.5 from the central managed server.

Install AV on every machine that is connecting to the network from outside. You can tell from the rouge system detection function on the server what mcahines do not have AV installed so u can track them and get them updated.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now