Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Protect my network against viruses

Posted on 2007-03-17
Medium Priority
Last Modified: 2013-11-22
Hi ..
How can I protect my NETWORK against viruses ????
Well... on the pcs that I have control on , I can put McCaffe or Symantec anitvirus.
But , what about the pcs that I have no control on , like users from sales department or so accessing my network from the internet VPN or through the hotspot by their laptops ? Also from other clients that we offer hospot for them .
How can I defend / scan my whole network against worms ? What can I do if my network gets infected.

Mostly, I guess I need your comments , and also some more details on a centralized virus control .

Thx alot for your help.
Question by:drtoto82
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 18740975
Well, the short answer is you can't. No, actually you SHOULD NOT be able to.
Finding virus implies you will be looking 24h on the network, dumping everything and looking for known signatures (just like softwares like carnivore do for pictures and emails). This is a tremendous effort to be done.. and actually is not done. What we have nowadays are quarantine systems: you don't allow pcs into your network if they do not comply to some rules (ie: having updated antiviruses and such).
Microsoft, Cisco and other vendors have got nice products about that, tightly integrated in their infrastructure. Take care: what my experience tells is that it's pretty easy to get around this quarantine systems, and they are only meant as administrative measures, not security ones. You should really use DMZs (or some other kind of network-level control systems).

Expert Comment

ID: 18741381
The best you can do is protect the machines you have control over with antivirus programs on PCs and servers. Set up the servers to get updates and distribute them to the PCs and deny access to any remote computer that a virus is detected from. The only way to prevent a virus from coming from a PC you don't control is to deny access from outside your network, which is unacceptable.
LVL 27

Accepted Solution

Tolomir earned 375 total points
ID: 18746469
Setting up a DMZ for external accessible services is a good start. Juniper firewalls got a zone concept allowing you to define rules for IP zones like: 192.168.10.x This way you can effectively shield the server area from the workstation area. Or development from sales.

Another part is never grant users administrator rights without "usefull" reason. I.e. if they are able to really take care of themselves and they got a reason for it, do it else: Never.

Another part would be to scan also for malware, we use ad-aware on each computer (

After you've shielded the incoming IP ports you might want to consider to block USB-stick-usage - for that you can either use a tool from e.g. GFI Endpoint Security or disallow USB-Stick-usage via group policy from active directoy.

If your employees want to work from home, you could ask/force them to use at least a virus scanner on their home  PC, could be a free license I've heard good results from


Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Author Comment

ID: 18753037
Tolomir 's answer is very good. Need more comments plz .
What about a user with a virus on his laptop accessing my network from the hostpot, and I want to allow that user in !!!
LVL 27

Expert Comment

ID: 18754289
I would not allow access to files i.e. open port 135,137,139 445 respectivly. So filesharing is a big NO-NO

All I would allow is access to port 443 SSL to Webservices. The risk is too great to attack internal infrastructure with worms.  

You should apply Windows 2003 SP2:

Improved manageability for IPsec
Server and Domain Isolation are key security benefits offered on Microsoft Networks. By using Active Directory, domain memberships and group policies, Server and Domain Isolation allows companies to logically segment their networks. This means that you can restrict non-domain computers which aren’t managed at a corporate level (lab computers, guests or other unsecure systems) from communicating with non- domain members. Service Pack 2 improves Server and Domain Isolation by reducing the IPsec filter set that needs to be managed from potentially hundreds of filters to as few as 2 filters. More information on Server and Domain Isolation can be found at

Manage new wireless settings without the hassle
SP2 provides the ability to manage the WPA2 protocol for wireless networks. This supports and simplifies the process of discovering and connecting to wireless networks in your home or on the road.
LVL 27

Expert Comment

ID: 18754314
And of cause this one is useable too:

avast! 4 Server Edition offers the most powerful protection to fight virus infections on your server or servers. It works both as primary protection of a file server itself, and, via its optional plug-ins, as protection for various server subsystems, such as electronic mail or firewall/proxy. Currently, the following plugins (editions) are available:

    * MS Exchange Server 2000/2003
    * MS Proxy/ISA Server
    * SMTP Server
    * MS Sharepoint Server (both Portal Server 2001/2003 and Windows Sharepoint Services 2003)

Expert Comment

ID: 18775100
Trend Micro Office Scan, Hands down. Disaster Recovery, Firewall and Webadmin to check up and rollout installs. Heres a link. Switched from Norton's 10. Corp.

And uninstalled Norton's from local workstation and installed Trend Micro Client and found 10 spywares running that Norton's said that it was ok for them to be there.


Expert Comment

ID: 18778121
Watch out: domain isolation via IPSec is a real pain.

Expert Comment

ID: 19013520
I would install McaFee epo 3.6.1 NOT symantec.
Setup a central repository server by installing this package on a machine, windows 2003.
Install Virusscan 8.5i on the same machine.
Configure the application which best suits your environment.
Add the subnets of the machines into the application and it will send out all the agents to the machines on ur network installing Virusscan 8/8.5 from the central managed server.

Install AV on every machine that is connecting to the network from outside. You can tell from the rouge system detection function on the server what mcahines do not have AV installed so u can track them and get them updated.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question