Solved

How to perform a clean Install of Windows XP SP3 or Windows 7 SP1 in an environment full of virus?

Posted on 2014-10-22
22
399 Views
Last Modified: 2014-10-27
Please see the attached diagram.

Network Diagram - New Clean Workstation among viruses one
We have an environment full of virus with only one switch and only one exit to internet. How can we

(1) Perform a clean reinstall of Microsoft Windows XP SP3 or Windows 7 SP1
(2) Perform Windows Updates
(3) Install remaining software without being infected by the other machines that are infected?

I mean, when you perform a new Install from Windows and plugs it to the local network, the workstation will be infected by the other ones that are infected and performing continuing broadcasts.

We have the following:

-Windows XP SP3
-Windows 7 SP1
-McAfee VirusScan Enterprise 8.8 - Patch 3
-The majority of workstations will still be Windows XP SP3.

What are the best practices we can apply here?

obs1: I know the question "seem obvious" so let's clarify. Imagine that the environment was not well administered in the past and now we have this problem with virus. Unfortunately the environment is critical and utilizes an application that cannot be "simply stopped": it will severe affect our users. The others computers are infected but the application still works. So, our mission is to clean everything without stopping nothing. And here comes my question: how can we install a new Workstation with Windows XP SP3 or Windows 7 without being infected. For example. Regarding Windows Updates I considered offline wsus. wsusoffline.net ; I think that could handle the Windows Updates, couldn't it? obs: there is no wsus server on this environment.



      
obs2: If I put a Linux Server with IPTABLES and a internal IP Address different from the other machines like this:

-External Interface: 172.16.0.100/24

-Internal Interface: 192.168.1.10/24

and then assign an IP address for my new workstations as let's say 192.168.1.20, will I be isolated from the other ones? We will be in the same VLAN but a different subnet. Can I still get infected?
0
Comment
Question by:sparskter
  • 10
  • 4
  • 3
  • +2
22 Comments
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 167 total points
Comment Utility
You could create an install image with your AV preinstalled so that when you reimage a computer it installs the AV prior to connecting to the internet.  I guess this begs the question - why do the other machines need access to the internet to begin with?  Can you isolate the infected machines without affecting the mission critical software?  You might also look into using a hosts file like the one from MVPS at: http://www.mvps.org/winhelp2002/hosts.htm.  You can add all your infected machines into it so that they won't gain access in that way.  Also block all ip's in your own domain except the target computers'.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 166 total points
Comment Utility
First of all, forget XP, it is EOL and malware is much more likely to get at it.

Install Windows 7 while the PC isn't connected to the LAN, then install the AV tool, connect it to the lan and update the AV signatures. After that do all windows 7 updates.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
And, while doing all that, maybe plug it into the upper Layer 3 switch to avoid the subnet with all the infected computers on it.

Is there some reason you aren't cleaning up the infected computers anyway?
0
 
LVL 70

Accepted Solution

by:
garycase earned 167 total points
Comment Utility
Just install an inexpensive NAT router (any consumer Linksys, NetGear, DLink, etc.) between the PC and the existing network.    Plug the current network (the cable that would normally go to the PC) into the WAN port of the router; and plug the PC into one of the LAN ports.

This will put the PC on a completely different subnet -- it will be able to "see" the internet; but none of the other PCs will have access to it.
0
 

Author Comment

by:sparskter
Comment Utility
Hello all! Pretty good answers around here! I will answer one by one soon. Thanks for your feedback!

First I need to make a correction on the network diagram:


Version 2: How to perform a clean Install of Windows XP SP3 or Windows 7 SP1 in an environment full of virus?

Changes in the diagram:
- In the site we have a Layer-2 switch; It has no STP, no VLANs capability.
- The Upper Layer-3 switch is a far distant one from the local site;
- We have more than 30 machines infected on the site;

USING A LINUX SERVER WITH IPTABLES AS A GATEWAY

If I point my Target Machine to my Linux Server in the diagram will I be isolated? Points to Remember:
- Linux External Interface: 172.16.0.100/24
GW: 172.16.0.1
Plugged to Port 1/1
- Linux Internal Interface: 192.168.1.100/24
No Gateway
Plugged to Port 1/2

Target Machine:
- LAN Interface: 192.168.1.10/24
GW: 192.168.1.1
Plugged to Port 1/3

We have a Layer-2 Switch, no STP no VLANs. The upper Layer-3 is a far distant onw from the site. The Target Machine, Linux Server and the Infected Machines we will all be in the same broadcast domain. The Target Machine will be in the same broadcast domain but in a different subnet: it will have the subnet 192.168.1.0/24 and pointing to the Linux Server.

In this situation can the Target Machine be still infected? Remember: it will be plugged to the same switch (Layer-2) as the others infected. The only difference will be the IP Address.
0
 

Author Comment

by:sparskter
Comment Utility
The idea is: after we finish the install and update of the target machine we can change it IP address back to 172.16.0.0/24. The Linux server would be just a temporary exit.
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
"... - We have more than 30 machines infected on the site; " ==>  Wow.   And you're not concerned about leaving them like this ??    I'd be looking at the least-intrusive ways to resolve those infections !!

Any topology that puts the new system in its own subnet will keep it isolated from the other machines ... but if, at the end of the install, you're going to put it back on your heavily infected network, you'd better be sure you have VERY good real-time antivirus and anti-malware products installed !!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
And that the user doesn't have admin rights.
0
 

Author Comment

by:sparskter
Comment Utility
Thomas Zucker-Scharff 2014-10-22 at 13:18:48ID: 40397963
You could create an install image with your AV preinstalled so that when you reimage a computer it installs the AV prior to connecting to the internet.  I guess this begs the question - why do the other machines need access to the internet to begin with?  Can you isolate the infected machines without affecting the mission critical software?  You might also look into using a hosts file like the one from MVPS at: http://www.mvps.org/winhelp2002/hosts.htm.  You can add all your infected machines into it so that they won't gain access in that way.  Also block all ip's in your own domain except the target computers'.


"You could create an install image with your AV preinstalled so that when you reimage a computer it installs the AV prior to connecting to the internet."

ANSWER: that is a good idead. You mean ghosting a "master workstation" and then  deploy the image, right? After, of course, habing Windows updated and with "sysprep" applied. What imaging software do you use and recommends? Do you use sysprep?


"I guess this begs the question - why do the other machines need access to the internet to begin with?  Can you isolate the infected machines without affecting the mission critical software?  You might also look into using a hosts file like the one from MVPS at: http://www.mvps.org/winhelp2002/hosts.htm.  You can add all your infected machines into it so that they won't gain access in that way.  Also block all ip's in your own domain except the target computers'."

ANSWER: the workstations needs internet access because the Application they use performs medicam exams consults via Internet. So Internet is necessary to all workstations. Of course, the Proxy server coul be adjusted to allow only the necessary sites but the Proxy Server is not managed by us and the users have permissions to access other sites as well.

But the internet is not the focus here. The focus is "how to replace each one of the 30+ workstations with a new clean install without being infected by the others that are already infected"? The problem is the local network with only 1 VLAN and only 1 BROADCAST DOMAIN: the virus infects each one of the workstations because they are on the same vlan, same broadcast domain and subnet (same ip address network). And as I stated earlier we only have a Layer-2 switch with no STP, no VLAN capabilities.
0
 

Author Comment

by:sparskter
Comment Utility
rindi 2014-10-22 at 13:19:52ID: 40397964
First of all, forget XP, it is EOL and malware is much more likely to get at it.

Install Windows 7 while the PC isn't connected to the LAN, then install the AV tool, connect it to the lan and update the AV signatures. After that do all windows 7 updates.

"First of all, forget XP, it is EOL and malware is much more likely to get at it."
ANSWER: Thanks rindi. We will try to upgrade to Windows 7 SP1. But I think it will only be possible in the , not so near, future. Unfortunately.


"Install Windows 7 while the PC isn't connected to the LAN, then install the AV tool, connect it to the lan and update the AV signatures. After that do all windows 7 updates."

ANSWER: Well suggested. We can download the "SUPER DAT" signature files used by McAfee Virusscan Enterprise which is roughly ~80MB (http://download.nai.com/products/licensed/superdat/english/intel/7599xdat.exe), bring it on an USB stick and perform the update. After that bring the machine online.

Unfortunately the site has a 2Mbit internet connection (the bandwidth is limited to this amount) and the update of McAfee will take a long time if we download it locally. So I think a local update is not possible because the infection process must be really fast: in other words if we try to update the McAfee while connected to the same subnet as other workstatios, the target machine will probably be infected before the AV signature update finishes.

QUESTION: Will Windows 7 hold against malware/virus before being updated (at Microsoft Windows Updates), even with McAfee AV updated?
0
 

Author Comment

by:sparskter
Comment Utility
fmarshall 2014-10-22 at 13:34:49ID: 40397994
And, while doing all that, maybe plug it into the upper Layer 3 switch to avoid the subnet with all the infected computers on it.

Is there some reason you aren't cleaning up the infected computers anyway?

"And, while doing all that, maybe plug it into the upper Layer 3 switch to avoid the subnet with all the infected computers on it."
ANSWER: fmarshall, thanks for your feedback. I have updated the network diagram: on site we have only a Layer-2 switch with no STP and no VLAN capabilities. The Layer-3 switch is far away from our site.

"Is there some reason you aren't cleaning up the infected computers anyway?"
ANSWER: we will have to do one-by-one without stopping the services from the others. The idea is to have at the very end, all workstations reinstalled and, I hope, free from viruses.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 87

Expert Comment

by:rindi
Comment Utility
"QUESTION: Will Windows 7 hold against malware/virus before being updated (at Microsoft Windows Updates), even with McAfee AV updated?"

It depends on the malware you are experiencing.Most malware doesn't automatically install itself to other PC's on the LAN automatically. Usually you have to do something to get it.
0
 

Author Comment

by:sparskter
Comment Utility
garycase 2014-10-22 at 19:53:27ID: 40398475

Just install an inexpensive NAT router (any consumer Linksys, NetGear, DLink, etc.) between the PC and the existing network.    Plug the current network (the cable that would normally go to the PC) into the WAN port of the router; and plug the PC into one of the LAN ports.

This will put the PC on a completely different subnet -- it will be able to "see" the internet; but none of the other PCs will have access to it.


"Just install an inexpensive NAT router (any consumer Linksys, NetGear, DLink, etc.) between the PC and the existing network.    Plug the current network (the cable that would normally go to the PC) into the WAN port of the router; and plug the PC into one of the LAN ports.

This will put the PC on a completely different subnet -- it will be able to "see" the internet; but none of the other PCs will have access to it."

ANSWER: very good suggestion garycase! I put that in the network diagram to reflect the idea! This can really work as the NAT will isolate the rest! And the "cheaper" router can be bought with no problems at all.


VERSION 4: How to perform a new clean install of Windows in an environment with machines infected v4
0
 

Author Comment

by:sparskter
Comment Utility
garycase2014-10-23 at 04:58:20ID: 40399193
"... - We have more than 30 machines infected on the site; " ==>  Wow.   And you're not concerned about leaving them like this ??    I'd be looking at the least-intrusive ways to resolve those infections !!

Any topology that puts the new system in its own subnet will keep it isolated from the other machines ... but if, at the end of the install, you're going to put it back on your heavily infected network, you'd better be sure you have VERY good real-time antivirus and anti-malware products installed !!


"Wow.   And you're not concerned about leaving them like this ??    I'd be looking at the least-intrusive ways to resolve those infections !!"

ANSWER: hello garycase. The idea is to have a process and at the very end all workstations will be reinstalled, updated and free of virus (I hope). But they have to be managed one-by-one.

"Any topology that puts the new system in its own subnet will keep it isolated from the other machines ..."

ANSWER: so we can isolate the workstations with the linux server even though we will be connected physically to the same Layer-2 Switch but only with a different subnet/IP address?

"but if, at the end of the install, you're going to put it back on your heavily infected network, you'd better be sure you have VERY good real-time antivirus and anti-malware products installed !!"

ANSWER: Yes, you are right. We will have to thrust out AV solution at the very end.
0
 

Author Comment

by:sparskter
Comment Utility
Thomas Zucker-Scharff2014-10-23 at 05:41:58ID: 40399282
And that the user doesn't have admin rights.


"And that the user doesn't have admin rights."
ANSWER: Yes, sure, well remembered.
0
 

Author Comment

by:sparskter
Comment Utility
rindi2014-10-23 at 07:19:02ID: 40399552
"QUESTION: Will Windows 7 hold against malware/virus before being updated (at Microsoft Windows Updates), even with McAfee AV updated?"

It depends on the malware you are experiencing.Most malware doesn't automatically install itself to other PC's on the LAN automatically. Usually you have to do something to get it.

"It depends on the malware you are experiencing.Most malware doesn't automatically install itself to other PC's on the LAN automatically. Usually you have to do something to get it."

ANSWER: Thanks. I think the McAfee AV updated will hold against common malwares that try to infect via broadcast/networks.

We have to remember here that all Windows workstations has the *same* local administrator password so they can reach the \\172.16.0.XYZ\C$ easily.
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
You don't need to keep that password for the new installation. Besides, why do you need remote access to the root of C:? Usually, not even the Admin should have access to that location.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
For ghosting software there are a number of options.  Norton Ghost is still excellent.  Using UBCD4Win with Norton Ghost installed with the image(s) installed as well.  There are many others.  Sysprep is a must in this case.  You can do it's work by using something like Whatschanged, but this is a whole lot of work.  I am NOT a sysprep maven - so if you want help with that feel free to ask others.  

In the end it depends on how much of a graphical user interface you want or need. You could use something as basic as clonezilla, although I wouldn't in any production environment, or as easy as Paragon Disk Suite.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
There are all sorts of workaround methods that will work if the focus is on but one machine.  
But, it seems to me that your focus has to be on the entire set of computers.
So, here is what I'd suggest:

Find out what the infection *is*.  Then the attack can be focused.  I realize that infections can be multiple but it sounds like you have a worm that's infected many computers on the network.  
Figure out if you can:
- how to remove that one thing.
- how to protect against that one thing.
Then you can fix all the computers one at a time and expect them to stay fixed.  How else really?
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
It's easy to install one system without any risk, by using the extra router I noted earlier (and you've already updated your diagram to show it).

But to get everything cleaned up, you really need to ID exactly what infection (or infections) you have on the other systems.    Can you remove ONE system from the network and take it offline to isolate this?    Microsoft's own "Defender Offline" bootable disk does an excellent job of this [ http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline ]; and the major A/V vendors have similar products.     Once it's clean, you then need to be sure you've installed  A/V and Malware  protection that will detect and STOP that infection from re-infecting the now-clean PC.

Depending on just how badly these are infected, and what the specific infection is, you may find it's easier to clean them one-at-a-time than to reload them all.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Defender offline is an excellent suggestion.  If you are going to go that route I highly suggest using a SARDU created boot device (USB devices are better in that they hold more and have room for backup as well, although you can create a bootable DVD).  A SARDU created boot device is like any other multi boot device.  In this case I have found it much easier to use this utility than some of the others.  Once you have downloaded the necessary files (easy through SARDU point and click downloading)and created the bootable device you will have everything on there that you will ever need.  You can even put your own licensed software on if you would like (all other software, with one exception, is legally free software).  For more specifics see my article about SARDU:

http://www.experts-exchange.com/Hardware/Storage/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html

And my 2 videos tutorials on Windows 7 and SARDU

Downloading and Installing SARDU on Windows 7
Using SARDU on Windows 7

As noted in the article and the videos, be aware of the adware you will need to avoid as well as the warez, which you don't need if you use the other options.
0
 

Author Closing Comment

by:sparskter
Comment Utility
I think I got very good ideas. The problem may "seems obvious" but that is not true: maybe "obvious" from a technical perspective but from a losgistical one.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now