Workstations and Servers do not have AV

I was hired as IT Support manager for a 200 user company.  I have been in the positions for 3 months.  Shortly after coming on board I discovered that there is not an AV network wide solution in place.  The only protection is found with a server based front end email server and web filtering on a proxy server.  The front email server and web filters are installed on a Linux server (RH).  All the PCs are XP machines and are harden manually but not through a GPO (CDroms and floppy drive are removed; USB ports are not disabled, however.) The PC network is managed with AD and there are UNIX Software servers to run the legacy program for this company. (Users are not given local admin rights) I am in heavy discussions with the VP over this.  He thinks this is a "safe network" protected by adequate virus protection. He reasons that email, web, removable media and unauthorized installation software are the only places where viruses can happen and that this network is protected with the above strategy in place.  The cost of getting a network wide solution is about $9400.  A multiyear contract would reduce that yearly total.  I have very definite ideas about this, but I want to know what network administrators in EE think. All comments are welcome.
Who is Participating?

This level of protection is not enough.

Imagin an infected USB-Drive is plugged in a PC. This would infect the whole network. Moreover, if new virus like Blackmal hit the network and disabled the front antivirus this will make your network at a major risk.

The only way ,I think , that the front antivirus is enough is to disable any way of getting files (USB, CD-ROM, disabling non-business PC network connections,...etc).

Well, if the users have no admin rights and have no way to get elevated access, it seriously limits the scope of damage an antivirus could do.
However, it could still touch everything to which the user has access like deleting files from his shares, but to be honest, you don't see this kind of viruses that often.

If you are worried but if cost is an issue, you can install a free antivirus like this :
but of course it isn't centrally manageable at such a cost... ;-)

However, it seems that most vectors are indeed controlled already (however, USB is still an issue and many widespread viruses are ran that way), but they say it is always a mistake to be too confident about your security...

If you don't use an antivirus you need to be sure about how well these machines are patched and patch them asap since workstation antivirus won't save you in case you open a specially crafted PDF file for example (for example using a 0-day flaw not yet patched), but hopefully the antivirus on the e-mail server should stop this...

The bottom line is that virus ran by non-admin users won't do much harm, but everything they have read/write access to can be compromised, so if you do not install antivirus, review your shares permissions, ACL, etc, very carefully and make absolutely sure that they can't elevate or get to know an an administrator password somehow.
> However, it seems that most vectors are indeed controlled already ..
hoever, most malware is injected through websites nowerdays, so you better inhibit any access to websites unless you have AV (or replaced XP by something better:)
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

As far as I understood from dwagner's description, there is already web and antivirus filtering from the main server...
Even then, since most malwares are assuming the user has admin rights, most common threats will even fail to install.

That said, if it were me, I would still install a free antivirus solution on all the computers of the network... while it can't compete with paid products both in terms of manageability and efficiency, it is still better than nothing...
> .. most common threats will even fail to install
all common javascript, PDF, Flash (probably ActiveX too) worms and trojans work perfectly without any admin rights, they even might not be detected by AV 'cause they are 101% legal code (i.e. w3c-conform javascript ;-)
of course these things will run... (although I don't think an user can install an ActiveX without having admin rights), but these can not do much damage to the computer because all the code require admin access.
Most of these install into windows or program files directories, which require admin rights and they would be hard pressed to do that if they run from a non-admin context.

That said, the landscape may well change in the next months/years since Vista runs accounts in a non-admin context by default and we know that malware writers will not give up as easily and will find ways to do their evil deeds even when ran on a non-admin context.

However, as I said above, a virus can potentially access everything to which the user has read/write on... like sending files to an unknown source (information/identity theft, which can be very bad for the company) or deleting the user files...

Of course, there is also a risk of priviledge escalation through 0-days exploits : for example, during the WMF breakout, our antivirus (NOD32) protected us very well against this exploit when there was still no official patch from MS available.
However, I have already seen viruses passing through antivirus, even generally ones like Trend.
Ironically, these viruses would have done less harm on a computer running in non-admin mode and without antivirus than it did on this computer with antivirus but where the users were local admins.

That said, I agree that it is a bit living on the edge, and I would by no mean accept this in most environments where users still run as admin on 2K/XP systems but according to the specs, it seems to be a rather secure network already (USB being still enabled notwithstanding and which has to be changed) and if there is indeed a web virus filtering on the servers' end.

That's why I recommand installing at least a free antivirus. I would also recommand installing Spybot Search and Destroy with its excellent immunization mode that takes no user ressources at all and proactively protects the computer.

Disable Autorun on all drives in addition to removing any removable drive  : it is how these USB viruses run without interaction.

Enforce strong password policy on AD and make sure the admin passwords are not known from any user.

User education is probably required as well : no surfing to dangerous sites, no opening e-mails from strangers or even strange e-mails from known sources (ie. e-mail spoofing) and don't receive/participate to jokes e-mails.

All these things can be done for free and will improve the current security.
These malware software are not centrally manageable though but you get what you pay for (ie. nothing) and you can always administrate them all from scripts from then on.

Make also sure the backups are run everyday in a safe non-networked location.

I think that for dwagner's company, it is more a cost issue than anything else : most companies are not really keen on spending for IT... which is a shame, but most small/medium businesses need to invest their money on something that makes return on investment : I can understand dwagner not willing to enforce this on the CEO or anything else only after two months being there...
> User education is probably required as well
full ACK, I'd do that first
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.