Does anyone know of any threads which might describe best practices for a virus outbreak preparedness plan for ...say...1000 workstations? We all remember the days when a virus/worm outbreak would cripple all workstations - and left users off-line until desktop support could come by and scan their machines, off-line, before letting them back on the network. I want to plan for the worst and I would say that would be a "worst case" scenario.
I've built a scanning CD with the SDAT extraction scanning utility but it just takes far too long to boot into XP safe mode and start the scan. Not to mention that I'm still relying on the workstations OS to get to Safe Mode - a virus could make this approach unusable.
No floopies on any boxes. All boxes have CD and USB 2.0
I'd say this implies preparing some bootable CD (BartPE or similar) with modules for an antivirus... But you obviously can't burn the bootable CDs in advance as the antivirus (definition files) needs to be up-to-date. I don't know if McAfee VSE has this option somewhere.
Thanks for the reply. From the lack of interest on this topic I'm going to assume that not many people worry about this scenerio. But any admin. that's been around a while has gone through it, at least once.
Currently I have a few W/R CD's setup with the SDAT extracted into a scanning utility. But you have to still boot into Command Prompt Only to run it. Booting into F8 Command Prompt Only still implies that your OS is still working. I update the CD's about every two weeks and anytime something bigger comes out. I wonder if there is a way to use PXE network booting to do this?
I'm not sure it's lack of interest... (I'm interested But then I'm not sure how I'd face having to scan/fix 100+ (let alone 1000+) workstations. I get a feel that I'd rather fix them with a Ghost than have to scan & repair 10^x workstations (we're in the 10^4 here). Hell that why we take so much precaution, so it doesn't happen.
But about your question, I'd definitely go for a modified BartPE build. So you have an independent bootable CD with its own OS independent from the workstation and it's able to read & fix any WinFS including NTFS...
I keep a laptop ready with BartPE ready to burn... it's not usually on our Net and in case of need I can get it to any available Net (e.g. WiFi in the area) and d-load the DAT and burn the CD at will. Haven't really tried it an am not eager to live-try it :/
I have the avira antivir rescue CD ( gets rewritten every day with new definitions) but then set up as a bootable USB drive using instructions from the ask the geek blog. This is fast and seems to work pretty well
I'd say that this kind of plan is just a plan for planning. If this happened and you had to visit 1000 plus machines you'd be at it for a week or more.
A better stance is to firm up VSE85 with AP policies and BO active and have alerting in ePO for virus not removed.
A question to ask is what virus these days is really is designed to kill a machine? Not that many in my opinion. A dead machine can't talk and a machine that can't talk is not worth anything to commercial Malware writers and BOT herders. They pay and maintain this Malware for the purpose of sending SPAM and collecting valuable information to use or resell.
So weigh up the time and effort spent in constant readiness plus the time it would take to carry out the plan and I am not sure its worth it. Better to spend your time looking at ePO reports, SANS news bytes, Symantec's Security Response and My AVERT Portal for trends and detections plus add something like SiteAdvisor enterprise and good proxy blocking of Malware infected sites to minimise any effects. (I know its reputation rated as well)
Add a good patching policy onto this and the likelihood of this occurring will be low. Segment your network, add vLANs, ensure proper password policies, Share security, external message scanning or a few passes with different scanners internally for Malware and SPAM\phishing emails and you will be nearly there.
I also have outbreak policies to enable in the event of an outbreak plus a good action plan to follow though to contain a threat as quickly as possible.
This is my take on it. I manage AV for over 11000 machines with a backup person and this has stood us in good stead for a long time.
You have a point. A virus to kill every box, or many boxes, would be a very unlikely occurrence. But...a denial of service attach (IMHO) is a very real possibility. Call me neurotic Maybe the OS security patches delivered by the vendors are frequent enough to keep that from happening.
Gazz300. I'd love to do all that but I'm just a tiny guppy in the big corporate ocean. All security measures are handled by headquarters - which leaves me little room for process improvement to protect my tiny number of 1,000 machines. I can only hope that they've done all that but my people are going to look to me, locally, if something bad goes down. I won't be able to say "I'm waiting on a solution from headquarters". I'll need to get something going immediately.
But...I'm going to take your advice with me onto my next employ...which I can use. Thank You.