BOFH: SOOO... You want to sell us some antivirus software? "Yes, but with our antivirus software you can be guaranteed that we will track and locate 98.97 per cent of all known viruses," the caller says. "Tell me, where did you get the 98.97 per cent from?" "What do you mean?" "Well you say 98.97 per cent - not 99 and not something like 96, so you've obviously got a reason for it …
For example, Symantec blocks the installation of some of our software.
We've reported it several times, we've sent them the installers, we've sent them logs from our customers, and they refuse to acknowledge that there just might possibly be an issue with their software.
So we've simply had to advise those customers to drop Symantec. Which they have, because our software is genuinely useful while theirs is...
Saved them a lot of money as well.
You do know regedit.exe, do you not ? There is a almost useless "Find" option in there, what it does does help in getting <whatever_the_kids_installed> off of the computer.
I use two combinations:
Find <folder_name>|<program_name>
while (! EOF)
{
if (keyname.isHighlighted)
{ hit(DEL);}
else if (Value.isHighted)
{ //some uid
hit("<-"); //left arrow key
hit("<-");
hit(DEL);
}
hit("F3");
}
Delete folders on FS.
Works for me - takes time, though :-(
On Mac, I throw /Applications/<application_folder> into the bin, search for plists and throw them in the bin.
On linunx, it is just "apt-get remove --purge <program_name>", but I digress.
So, fellow BOFH's a few questions if I may.
1) Who thinks AV is even slightly effective? (When Symantec says AV only protects against an attack 45% of the time I think we can all agree theres a problem?)
2) Who drops any email attachments that are vaguely executable at the firewall/before it reaches the lusers?
2B) Have you figured out a way to open a zip/rar/oddarchivetype, and then drop the ones containing executable code?
3) Who has SRP's set up to prevent the users from running a virus imported by CD/USB/SOMEHOW?
4) How do you deal with PDF's? My personal bugbear, you can't just drop them because about 5% are actually legitimate, but the other 95% are exploiting the swiss chese security in Adobe. So far EMET5 appears marginally effective at mitigation when the users open them. I did try replacing Adobe reader with foxit reader, however foxit reader appears to be substantially less stable than adobe.
The answer to 2,2b and 4 is use something like MailScanner on your edge mail transport, drop all exes and zips, the AV scan it does on the rest should take care of the rest including PDFs but you could drop them to if you want since MailScanner will notify the users when it's blocked their attachments, so they can ask you to release it if it's a false positive.
The answer to 1 and 3 are the same. Who cares? Put the most acceptable AV of your choice on end user machines for some protection but have them keep all their work on a file server. If their PC gets infected nuke it, re-image and away you go.
In a well managed and backed up environment viruses and malware are rarely more than a bit of a nuisance. The bigger security problem is educating and preventing your users for falling for phishing mails and the like.
Yes, by all means just drop all ZIP files, also drop DOC(X), PDF,... because you never know it might be an unknown attack vector.
You sound like the IT guys at a customer site I work right now.
We're running around with USB sticks to move files around because that's the only thing that seems to work (*). Personal USB sticks, of course.
Yes, what could possibly go wrong?
(*) given that contractors are not allowed on the customer network, I have to do with a separate ADSL for my connectivity (which is a blessing because there's no firewall).
"As an office shouldn't have any legitimate programs delivered by email"
Eh ?
Maybe an accountants office, or something equally pointless. But most offices contain at least a smattering of actual workers, who like most people need to communicate arbitrary files. We don't appreciate you taking out all the useful bits.
You'd be one for swapping all forms of cutting tool for plastic scissors, wouldn't you ?
The useful bits are files for word, excel and PDF's, with assorted images etc. I can't see any legitimate reason why an office worker would need to receive binaries via email as a part of their work. Care to share?
Personally, I think 100% of incoming binaries are unsolicited malware of some description, and dropping them is a perfectly rational way of reducing the number that make it through to the end users.
I love your sweeping generalisation that all exe's are bad. I work as a sysadmin, and trolls like you are why I have to first zip exe's using weird compression, rename them to .tiff, open with a hex editor and insert 1029 bytes of tiff file information at the top, just so I can transfer a file, remove the 1029 bytes, rename to whatever zip format and uncompress them and do my job. Pray to whatever gods you believe in that I never discover what kind of car you drive, where you eat, or where you sleep. Revenge is a dish best served totally unbeknownst to the target.
Personal experience-
I've had a few appliances over the years (UPS/generator monitoring cards, environmental sensors on the raised floor, upstart company's wizbang gizmo) where for whatever reason the catastrophic error reporting was an email to us and the vendor with a zipped log/crash file.
Our policy was to nuke any zip file in inbound or outbound email, and at least one vendor nuked them inbound so those logs never saw the light of day when the magic blue smoke escaped the appliance.
Well guess what - in the corporate environment I work at the damned AV monstrosity is set to full paranoia mode - it filters out even Unix shell scripts. And no attachment releasing option either. If I want a file delivered by a HW vendor (it happens fairly often in fact), I'm out of luck. And chaotic as it is, I'm not even sure which team do I have to talk to to ask for some tweaking (well, theoretically I could try the helldesk, but no, thanks, I'd rather shoot myself in the foot). And don't even get me started on the enterprise AV policy they pushed out regarding "unwanted programs" (e.g. those idiots have included even stuff like bash.exe, which renders Cygwin unusable on the machines running the AV i.e. every corporate machine)......
Here is the thing . . .
Security is a matter of balancing protection with convenience and usability (and cost). Always has been, always will be.
There is no one-size-fits-all solution here and different scenarios and businesses will warrant accepting some additional risk for the sake of productivity or vice-versa.
It is my experience that if you make things too restrictive, users will get around the system in order to do what they want/need to do. If you set your password policy too strictly, requiring 20+ character passwords changed every month, most users will end up using weak, easily-remembered passwords, thus negating the benefits of a strong password policy in the first place.
Just so with AV restrictions as users will send files via personal e-mail, bring in CDs and USB sticks, use services like Dropbox and generally side-step the problem. What this often leads to is company data being handled by and stored in non-company systems, which is not a great situation.
Sure, you can try banning all (say) webmail URLs but then what happens when you instructed to allow Gmail so the CFO can view and synchronise an external calendar. And so it goes.
The important part in all this is to make sure the users are well-informed and understand why things are the way they are. Teach them good practices and keep them educated about any current trends or dangers because no matter how good your precautions, the best defence is a well-educated user.
"have them keep all their work on a file server."
That's been the policy at almost every company I've worked for. Along with the policy of giving staff terabytes of unusable storage on their local machines, while refusing to invest in disk space on the file servers. And the network hasn't got the capacity to cope with more than one person at a time moving data about.
Has anyone invented network RAID yet? If every desktop in my office could contribute 1TB to a massively mirrored and striped array, I'd be delighted, even if the resulting shared drive was only 1TB. Although the network would still be a bottleneck.
Exactly, I do not get all this non-sense.
I think you could do with Linux, remove the hard drives from the workstations as they arrive, setup boot from LAN, use Linux, see slax for an amazing example ... 180Mb of read-only joy, complete with office suite, browser etc. Customize your image[s] with apps you need. Build a massive RAID with the hard drives to house docs, home folders, your 4/5/6 images, and their respective backups ... remember, you do not need an image per hardware combination, more an image per target audience.
The home folder would be a network share, ideally sshfs. You have an issue, reboot ... takes 1 minute, including download/loading of image, and the beast is clean again. If you have over 2Gb RAM in the clients, use copy-to-ram for exceptional performance ... only uses like 512Mb RAM.
Alternative:
FreeBSD or Solaris and a distributed ZFS file system, using all drives in all machines for storage of documents.
These days, I mostly use the PDF readers built into Firefox, Chrome, and Safari. Sometimes I use (Apple) Preview. This is on a Mac, obviously.
What I'd like to do is banish them to an untrusted AppVM, as in Qubes OS, but I'm rather addicted to my computer having performance. Maybe next time I build a computer.
I keep hearing people say it is unstable, but here is the thing, I have been using it since the dark ages and NEVER had a single issue; ADOBE on the other hand, - which I have installed because some government websites INSIST only Adobe can open their pdf attachments - buggers up every other time I try to use it.
As for AV programs, yes, they slow everything down to a crawl; almost as bad as installing realplayer (which I foolishly did again last night).
I have never seen a simple EULA screen effectively lock up my machine for several minutes before.
You installed RealPlayer last night? Is this posted through some strange time wormhole? I haven't installed RealPlayer since...must be pre-2006 as that's my oldest still-working box, and it's never had it.
Do you mind me asking, genuinely, what for? Can VLC not play the .rm files you need?
I know, I was delusional, I blame the head cold and sinus irritation - the medication made it seem like a good idea.
As for how many PCs, only a dozen, but they are all old, patched together systems made out of left-over parts and spare XP licences (+1 Win7 machine) that originally ran WinME and uses Rambus Ram); actually THREE of them originally came with WinME.
I have managed to use Foxity even with those god awful government PDF forms most of the time. I save the form - using an old version sometimes and then FOXIT that saved one. If the )(*&^%$£"! fools think I am going to print out their un-savable forms and write on them, well they have not seen the state of my writing; still I may get the hand operated on soon. I guess they do have someone who can read, though I am not sure that is always the case judging by the number of errors they manage to make processing the stuff I send them.
Perhaps I should just write out the entries using my feet?
This BOFH rant would be very funny, but it isn;t, 'coz it's very very true. Usually we laugh at the BOFH 'coz he exaggerates real life so cruelly and accurately, but this time it's pure and simple truth.
On an off-topic note, Foxit used to be good. Used to be. Now it's just another slab of marketing-riddled bloatware with a screen-robbing Sinofsky-inspired UI from Bedlam. Despite having used and recommended it for quite a while, I stopped installing it a couple of years ago and switched to one of the three or four excellent little free no-BS alternatives. (My favourite is PDFExchange but there are several others which seem pretty nice too.)
SPAM and Virii exist because THEY WORK. Most of the attack vectors are in email (click here to win $$$) and these function because idiots will click them. Yes, to those who know better they are a scam, but for some percentage (probably the left over of 1.03%, 100% - 98.97%) they get through. With the small cost (if any) of email, this is acceptable to the scammers.
Moral: Don't click on email attachments unless you are VERY SURE of the source, and are expecting the attachment. Gotta be careful!
Of course it would be easier if operating system companies didn't do most of the work for the virus makers by "helping".
I remember about 9 years ago a place I worked IT in we had a nasty outlook e-mail virus going around. We spent almost a solid week removing it from the network (we had over 2k computers) right after we finished Our IT director sent out an e-mail to all users saying DO NOT OPEN ANY LINKS IN E-MAILS YOU ARE NOT EXPECTING OR KNOW THE SENDER to all the users.
5 minutes later the idiot opens an e-mail attachment marked IMPORTANT OPEN IMMEDIATELY, and reinfected the entire network... We only know this as the admins installed tracking software, and were actively monitoring who was infecting the network, and it all pointed at the IT directors computer...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
