Tuesday, June 3, 2008

Stop malwares using device control: A real life experience

If your one of those administrators who hardly try to keep their networks clean and prevent the next malware from infecting their systems, this is definitely for you…

Spending thousands of dollars on security solutions to protect the enterprise from the outside alone is an outdated concept. If you want to ask anyone works in the security arena? What are the main sources of malwares today? He’ll probably answer this: e-mail spam, websites, and removable drives. I’ve been dealing with anti-anything (malwares, viruses, worms, rootkits) since a long time, and I used to judge on the network security from the antivirus server logs and reports. Because these logs will give a lot of details, such as the name of virus, the path on your system, from where it came, etc. And most of the time, I see viruses detected inside the removable drive root folder. And thanks to Windows “Auto Play”, which is used to inspect the type of files and choose the suitable software to open them. With this, malwares are getting executed every time you plug your flash drive in your computer. So to start talking about this, many vendors today start to provide additional module to their software which controls local system devices based on a policy. For example, Symantec Endpoint Protection 11 is my choice today to protect endpoints. I can block every single device/interface in the machine. Such as USB dongles, Bluetooth, PCMCIA, wireless, ports, com, etc. I had one customer who was struggling to stop malwares, and depending on the installed AV alone was a losing game. So I checked the daily logs of the AV server, and I was surprised due to the high number of viruses which had been detected on users' USB dongles!.
I have to admit that this customer is more happier than before, because malware infections have decreased by 70% once we blocked all insecure devices.
A replacement for using USB dongles inside corporate network is using a secure file sharing server which has multi-antivirus scanner installed to check for infected dongles and heal them. Then the user copies/moves his files to/from this server without endangering the LAN. His company has accepted this and the life is still going with/without USB dongles :)