Protect my network against viruses

Hi ..
How can I protect my NETWORK against viruses ????
Well... on the pcs that I have control on , I can put McCaffe or Symantec anitvirus.
But , what about the pcs that I have no control on , like users from sales department or so accessing my network from the internet VPN or through the hotspot by their laptops ? Also from other clients that we offer hospot for them .
How can I defend / scan my whole network against worms ? What can I do if my network gets infected.

Mostly, I guess I need your comments , and also some more details on a centralized virus control .

Thx alot for your help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, the short answer is you can't. No, actually you SHOULD NOT be able to.
Finding virus implies you will be looking 24h on the network, dumping everything and looking for known signatures (just like softwares like carnivore do for pictures and emails). This is a tremendous effort to be done.. and actually is not done. What we have nowadays are quarantine systems: you don't allow pcs into your network if they do not comply to some rules (ie: having updated antiviruses and such).
Microsoft, Cisco and other vendors have got nice products about that, tightly integrated in their infrastructure. Take care: what my experience tells is that it's pretty easy to get around this quarantine systems, and they are only meant as administrative measures, not security ones. You should really use DMZs (or some other kind of network-level control systems).
The best you can do is protect the machines you have control over with antivirus programs on PCs and servers. Set up the servers to get updates and distribute them to the PCs and deny access to any remote computer that a virus is detected from. The only way to prevent a virus from coming from a PC you don't control is to deny access from outside your network, which is unacceptable.
Setting up a DMZ for external accessible services is a good start. Juniper firewalls got a zone concept allowing you to define rules for IP zones like: 192.168.10.x This way you can effectively shield the server area from the workstation area. Or development from sales.

Another part is never grant users administrator rights without "usefull" reason. I.e. if they are able to really take care of themselves and they got a reason for it, do it else: Never.

Another part would be to scan also for malware, we use ad-aware on each computer (

After you've shielded the incoming IP ports you might want to consider to block USB-stick-usage - for that you can either use a tool from e.g. GFI Endpoint Security or disallow USB-Stick-usage via group policy from active directoy.

If your employees want to work from home, you could ask/force them to use at least a virus scanner on their home  PC, could be a free license I've heard good results from



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

drtoto82Author Commented:
Tolomir 's answer is very good. Need more comments plz .
What about a user with a virus on his laptop accessing my network from the hostpot, and I want to allow that user in !!!
I would not allow access to files i.e. open port 135,137,139 445 respectivly. So filesharing is a big NO-NO

All I would allow is access to port 443 SSL to Webservices. The risk is too great to attack internal infrastructure with worms.  

You should apply Windows 2003 SP2:

Improved manageability for IPsec
Server and Domain Isolation are key security benefits offered on Microsoft Networks. By using Active Directory, domain memberships and group policies, Server and Domain Isolation allows companies to logically segment their networks. This means that you can restrict non-domain computers which aren’t managed at a corporate level (lab computers, guests or other unsecure systems) from communicating with non- domain members. Service Pack 2 improves Server and Domain Isolation by reducing the IPsec filter set that needs to be managed from potentially hundreds of filters to as few as 2 filters. More information on Server and Domain Isolation can be found at

Manage new wireless settings without the hassle
SP2 provides the ability to manage the WPA2 protocol for wireless networks. This supports and simplifies the process of discovering and connecting to wireless networks in your home or on the road.
And of cause this one is useable too:

avast! 4 Server Edition offers the most powerful protection to fight virus infections on your server or servers. It works both as primary protection of a file server itself, and, via its optional plug-ins, as protection for various server subsystems, such as electronic mail or firewall/proxy. Currently, the following plugins (editions) are available:

    * MS Exchange Server 2000/2003
    * MS Proxy/ISA Server
    * SMTP Server
    * MS Sharepoint Server (both Portal Server 2001/2003 and Windows Sharepoint Services 2003)
Trend Micro Office Scan, Hands down. Disaster Recovery, Firewall and Webadmin to check up and rollout installs. Heres a link. Switched from Norton's 10. Corp.

And uninstalled Norton's from local workstation and installed Trend Micro Client and found 10 spywares running that Norton's said that it was ok for them to be there.

Watch out: domain isolation via IPSec is a real pain.
I would install McaFee epo 3.6.1 NOT symantec.
Setup a central repository server by installing this package on a machine, windows 2003.
Install Virusscan 8.5i on the same machine.
Configure the application which best suits your environment.
Add the subnets of the machines into the application and it will send out all the agents to the machines on ur network installing Virusscan 8/8.5 from the central managed server.

Install AV on every machine that is connecting to the network from outside. You can tell from the rouge system detection function on the server what mcahines do not have AV installed so u can track them and get them updated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.