September 29, 2009Computer Security Awareness Day 1
Fermilab
• Why are we here?• Current environment• How are machines getting infected?• Improvements (timeline)• Weekly AV scan changes• What is Tissue?• AV Notice TIssue Detector• Rebuilds vs fixes• AV service enhancements• Help us to help you• Blocked? Getting help…• Questions?
September 29, 2009Computer Security Awareness Day 2
AV Protection for ~3000 Windows systems Volume of AV notices via Email
◦ ~1000 per month A single machine can generate several notices Too many for any one person to filter by hand
◦ Manual response Can be unreliable No priority
No official procedures prior to May 2009 Tune IT Up requirement
September 29, 2009Computer Security Awareness Day 3
Symantec AV corporate edition 10◦ multiple parent servers to support Fermilab◦ servers report into a central AV Report server◦ system is configured to download and advertise
new signature files every 15 minutes If away from the lab: clients are configured to
download new sig files from Symantec once a day◦ clients are configured to perform a full scan once
a week (most are set for Tuesday 2AM)◦ clients use heuristics in addition to the standard
signature based realtime protection.
September 29, 2009Computer Security Awareness Day 4
AV alone cannot cover all malware◦ Malware being written at a high rate, a challenge
for AV manufactures to keep up◦ Now needed - Antivirus, Antispyware, firewall,
intrusion prevention, device and application control
◦ Local admin permissions Domain and local accounts
◦ USB devices Autorun & Autoplay can allow malware
◦ Web browsing Business need web browsing Non-business casual web browsing
September 29, 2009Computer Security Awareness Day 5
Malware runs in memory
Attempt to write Rootkit to file systemAV does real-time file scan after file is closed
Malware
Normal web surfing
Request Rootkit from the cloud
September 29, 2009Computer Security Awareness Day 6
Malware
Malware
Malware
Web Proxy Server◦ Applied to 98% of the network subnets at the lab
Disable Autorun◦ prevents malware from auto-running on USB
device insertion Restricting web access via domain
◦ Applies to machines with critical business needs Restore points - 2 options
◦ disable restore to remove malware, then re-enable◦ rebuild
Weekly AV Scan changes – next slide
September 29, 2009Computer Security Awareness Day 7
Scans may be postponed four times ◦ instead of cancels
Tested new setting for several weeks with no problems
Staged rollout throughout the end of the year
September 29, 2009Computer Security Awareness Day 8
September 29, 2009Computer Security Awareness Day 9
Tracking Issue workflow system◦ Strong Authentication violations◦ OS patching levels◦ Network inventory◦ Antivirus Notices
Monitors the central logging repository◦ Blocks are issued based on parameter settings
September 29, 2009Computer Security Awareness Day 10
Registered system administrators will get notified
Issue must be properly remediated or the system will be blocked
You will be blocked again if the problem is not actually fixed
September 29, 2009Computer Security Awareness Day 11
This email is automatically generated, do not reply. The system listed below is registered to you as a sysadmin.
A network block for this system (described below) has been requested by Computer Security.
Please visit:https://nimisrva.fnal.gov/WF/TIssue/event_mgr/displayRemediationForm?machine_id=34754to view more details about the vulnerability found and to enter the action taken to fix the vulnerability.
Note: If this event is not remediated, the system will be blocked from network access at None
Here is a description of the host/sms check:IP Address: 131.225.xx.xxMAC Address: 00:00:00:00:00:00Node name: xxxxxxxxxAffiliation: xx/xx/xxx/xxxxxxxxxxxxxxxxxLast found: 2009-09-22 13:08:41Issue: Virus Found (Blocking Event)Additional Info:Class/Action/Location trigger:Host:xxxxxxxxxxxxIP:131.225.xx.xxUSER:xxxxxxxxxClass/Action/Location triggers: Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion ) Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion ) Infostealer=Security Update for OS Microsoft Windows>>KB390496.exe (Cleaned by Deletion )
THIS IS A BLOCK EVENT.
If you experience difficulties resolving this issue or require additional assistance, please contact the FNAL Service Desk (x2345) to open a ticket to be routed to your local desktop or server support group.
Previously each notice was manually reviewed Now automated - virus notices are sorted and
filtered◦ Notices are flagged that require follow-up
All other AV notices are ignoredo Started by using criteria that matched our current AV
experienceo Criteria changes will be made from Windows Policy
Committee proposal vote
September 29, 2009Computer Security Awareness Day 12
Follow-up criteria◦ Virus type blocks
Root kits, keyloggers, information stealing, etc◦ File location blocks
Operating system, application program, etc Departmental file servers are exempt from
blocks
September 29, 2009Computer Security Awareness Day 13
Number of rebuilds are small versus the number of identified viruses
Rebuild if virus types meet criteria◦ such as Hacktool.Rootkit & downadup (aka Confiker)
Rebuild if infected files are in protected system areas◦ such as Windows, WINNT, System, System32
Fix if virus is in restore point Ignore notices in temporary internet file areas
and non-system areas
September 29, 2009Computer Security Awareness Day 14
Working with vendor to identify detected malware
Review and upgrade current solution◦ Endpoint Security Protection
Antivirus Antispyware Firewall intrusion prevention device and application control
September 29, 2009Computer Security Awareness Day 15
If you are blocked please tell us if:◦ you have recently borrowed a flash-drive/memory
stick◦ you have opened an email attachment
especially from your non-Fermi account◦ you have browsed business related web sites◦ you have browsed casual web sites
Providing detailed information may help problem resolution and future enhancements
September 29, 2009Computer Security Awareness Day 16
Email notice goes to the registered system administrator◦ When your machine gets blocked you may not
receive an email notice. Contact the Service Desk at x2345
◦ If you suspect you have been blocked ask that the TIssue site be checked Need to provide username, nodename, IP address
etc.
September 29, 2009Computer Security Awareness Day 17
Thank you for attending!
September 29, 2009Computer Security Awareness Day 18