Workstations and Servers do not have AV

Posted on 2007-10-16
Last Modified: 2013-11-22
I was hired as IT Support manager for a 200 user company.  I have been in the positions for 3 months.  Shortly after coming on board I discovered that there is not an AV network wide solution in place.  The only protection is found with a server based front end email server and web filtering on a proxy server.  The front email server and web filters are installed on a Linux server (RH).  All the PCs are XP machines and are harden manually but not through a GPO (CDroms and floppy drive are removed; USB ports are not disabled, however.) The PC network is managed with AD and there are UNIX Software servers to run the legacy program for this company. (Users are not given local admin rights) I am in heavy discussions with the VP over this.  He thinks this is a "safe network" protected by adequate virus protection. He reasons that email, web, removable media and unauthorized installation software are the only places where viruses can happen and that this network is protected with the above strategy in place.  The cost of getting a network wide solution is about $9400.  A multiyear contract would reduce that yearly total.  I have very definite ideas about this, but I want to know what network administrators in EE think. All comments are welcome.
Question by:dwagner51
    LVL 4

    Expert Comment

    Well, if the users have no admin rights and have no way to get elevated access, it seriously limits the scope of damage an antivirus could do.
    However, it could still touch everything to which the user has access like deleting files from his shares, but to be honest, you don't see this kind of viruses that often.

    If you are worried but if cost is an issue, you can install a free antivirus like this :
    but of course it isn't centrally manageable at such a cost... ;-)

    However, it seems that most vectors are indeed controlled already (however, USB is still an issue and many widespread viruses are ran that way), but they say it is always a mistake to be too confident about your security...

    If you don't use an antivirus you need to be sure about how well these machines are patched and patch them asap since workstation antivirus won't save you in case you open a specially crafted PDF file for example (for example using a 0-day flaw not yet patched), but hopefully the antivirus on the e-mail server should stop this...

    The bottom line is that virus ran by non-admin users won't do much harm, but everything they have read/write access to can be compromised, so if you do not install antivirus, review your shares permissions, ACL, etc, very carefully and make absolutely sure that they can't elevate or get to know an an administrator password somehow.
    LVL 10

    Accepted Solution


    This level of protection is not enough.

    Imagin an infected USB-Drive is plugged in a PC. This would infect the whole network. Moreover, if new virus like Blackmal hit the network and disabled the front antivirus this will make your network at a major risk.

    The only way ,I think , that the front antivirus is enough is to disable any way of getting files (USB, CD-ROM, disabling non-business PC network connections,...etc).

    LVL 51

    Assisted Solution

    > However, it seems that most vectors are indeed controlled already ..
    hoever, most malware is injected through websites nowerdays, so you better inhibit any access to websites unless you have AV (or replaced XP by something better:)
    LVL 4

    Expert Comment

    As far as I understood from dwagner's description, there is already web and antivirus filtering from the main server...
    Even then, since most malwares are assuming the user has admin rights, most common threats will even fail to install.

    That said, if it were me, I would still install a free antivirus solution on all the computers of the network... while it can't compete with paid products both in terms of manageability and efficiency, it is still better than nothing...
    LVL 51

    Expert Comment

    > .. most common threats will even fail to install
    all common javascript, PDF, Flash (probably ActiveX too) worms and trojans work perfectly without any admin rights, they even might not be detected by AV 'cause they are 101% legal code (i.e. w3c-conform javascript ;-)
    LVL 4

    Assisted Solution

    of course these things will run... (although I don't think an user can install an ActiveX without having admin rights), but these can not do much damage to the computer because all the code require admin access.
    Most of these install into windows or program files directories, which require admin rights and they would be hard pressed to do that if they run from a non-admin context.

    That said, the landscape may well change in the next months/years since Vista runs accounts in a non-admin context by default and we know that malware writers will not give up as easily and will find ways to do their evil deeds even when ran on a non-admin context.

    However, as I said above, a virus can potentially access everything to which the user has read/write on... like sending files to an unknown source (information/identity theft, which can be very bad for the company) or deleting the user files...

    Of course, there is also a risk of priviledge escalation through 0-days exploits : for example, during the WMF breakout, our antivirus (NOD32) protected us very well against this exploit when there was still no official patch from MS available.
    However, I have already seen viruses passing through antivirus, even generally ones like Trend.
    Ironically, these viruses would have done less harm on a computer running in non-admin mode and without antivirus than it did on this computer with antivirus but where the users were local admins.

    That said, I agree that it is a bit living on the edge, and I would by no mean accept this in most environments where users still run as admin on 2K/XP systems but according to the specs, it seems to be a rather secure network already (USB being still enabled notwithstanding and which has to be changed) and if there is indeed a web virus filtering on the servers' end.

    That's why I recommand installing at least a free antivirus. I would also recommand installing Spybot Search and Destroy with its excellent immunization mode that takes no user ressources at all and proactively protects the computer.

    Disable Autorun on all drives in addition to removing any removable drive  : it is how these USB viruses run without interaction.

    Enforce strong password policy on AD and make sure the admin passwords are not known from any user.

    User education is probably required as well : no surfing to dangerous sites, no opening e-mails from strangers or even strange e-mails from known sources (ie. e-mail spoofing) and don't receive/participate to jokes e-mails.

    All these things can be done for free and will improve the current security.
    These malware software are not centrally manageable though but you get what you pay for (ie. nothing) and you can always administrate them all from scripts from then on.

    Make also sure the backups are run everyday in a safe non-networked location.

    I think that for dwagner's company, it is more a cost issue than anything else : most companies are not really keen on spending for IT... which is a shame, but most small/medium businesses need to invest their money on something that makes return on investment : I can understand dwagner not willing to enforce this on the CEO or anything else only after two months being there...
    LVL 51

    Expert Comment

    > User education is probably required as well
    full ACK, I'd do that first

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now