[dba-Tech] Win 10 virus protection

Gustav Brock gustav at cactus.dk
Wed Mar 16 03:04:56 CDT 2016


Hi Jim

My plan was to replace or Novell Groupwise with an in-house Exchange (part of the MAPS deal). One consideration was what to replace our spam filter, SpamBunker, which had ceased further development.

However, just at that time Office 365 was introduced, and I moved our mail host to its Exchange on-line with its included spamfilter. Then I could set up our in-house Exchange server later.

Well, it never happened. Exchange on-line works so well that I see no reason for setting up an Exchange server except for the fun and, believe me, I can think of tasks more fun than that. Also, a bit to my surprise, the spamfilter is not very effective but extremely effective with about zero false positives and less than five bad mails not caught per year. One was received by me, and just for fun I extracted the zip but Microsoft Defender ate the content.

For us, Office 365 has proven to be a zero issue choice that delivers - and our five main users are covered by our MAPS deal. Highly recommend if you are not MS paranoid.

/gustav


-----Oprindelig meddelelse-----
Fra: dba-Tech [mailto:dba-tech-bounces at databaseadvisors.com] På vegne af Jim Lawrence
Sendt: 15. marts 2016 20:52
Til: Discussion of Hardware and Software issues <dba-tech at databaseadvisors.com>
Emne: Re: [dba-Tech] Win 10 virus protection

Hi John:

I will make some comments on how to do things and subtle changes in our approach but as you said this group is techs and we are not typical (if ever) users and therefore not prone to making dumb and simple errors.

That said; your over-view is excellent. Below are my comments.

Mail is the most dangerous application on any network. Its port (80) is always open and virtually every bug comes into a PC or network via that address. Some clients are doing their mail via virtual drive or Container on their own PCs. Then there is the server solution where mail is isolated through a Hyper-V and user just connect through a web interface. As Hyper-V is not really Windows, its OS is not as susceptible to the standard viruses. (Then of course there are Linux mail servers which are only prone to a very few pieces of malware.) My ISP (Shaw) runs a copy Zimbra which is a web based mail server which can scale up from a simple client system to a huge internet/network Exchange like server (50 million clients or is it messages a day?)...unfortunately it is Linux based. One of the new trends is to host mail services through a Cloud based cluster of client mail boxes. The over all trend is to isolate client mail from any system but these alternatives are either corpora!
 te based or still fledgeling.

Backups are the next most critical point in any system. Cloud based backups are great but in a real catastrophic failure these data sources may become unavailable. To my way of thinking, the best backups are local, varied and continuous. Local; is always faster and accessible. Varied: One; there are a host of synchronization applications out there...when a program or data is changed a backup is kept of the changed information for a defined number of hours...(in the event of disaster, recovery can be time consuming.) Two; a good multiple backup system; daily, with a good range of copies and a high level of password protection (a backup password that is only used for the backup and is encapsulated and automated.). Three; off-site storage...there is no protection against a natural disaster. Four; a good file system design...one that makes client side restore points...but getting clients to do this regularly is difficult.) There is a trending FS called ZFS. For years it has been!
  the domain of servers but now it is becoming a option for all operating systems...even Windows 10. The whole ZFS is designed to guarantee data integrity, with multiple layers of redundancy, auto-restore points, built in encryption for files and directories, expandable across multiple desktops and servers.       

Isolation is one of the best methods to keep malware segregated from the main network. Always isolate the mail system from the companies data. Some network guys keep their mail on a different subnet from the rest of the business. Aside: On one client, I had her mail hosted on a server accessed via a RPD client connection after the fourth time she managed to get her station compromised and the problem disappeared. 

My forte has been to protect a system before it can and does get compromised. You have a great understanding of how to protect a network or PC when to does get compromised. ;-)

Jim
 
----- Original Message -----
From: "John R Bartow" <jbartow at winhaven.net>
To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com>
Sent: Tuesday, March 15, 2016 9:41:56 AM
Subject: Re: [dba-Tech] Win 10 virus protection

Hi Tina,
Disclaimer: we're all very technical people on these lists so my discussion does reflect people that know what they're doing. ;-)

I haven't abandoned Vipre. After being sold/spun off for the third time in about 1/2 dozen years, I expected there may have been some staff drainage at Vipre HQ. But et, I've had no problems with it in my client base. But then I also don't rely on one program to secure my clients. (Layering is a must.) Vipre seems to be better than Bitdefender at blocking the annoying crapware add-ons like conduit based toolbars and such. But Bitdefender had a better solution for preventing ransomware and that is currently the most damaging exploit there is and is only getting worse. All it takes is to click on one email attachment that starts the process and a disaster begins. But even where I am replacing Vipre on PCs, if they have a server Vipre will stay on it. That's two AMs scanning the same files. 

For instance I like to have Vipre and HitmanPro web alert. It seems to be very effective (either that or I have very smart clients) at blocking web born exploits. Also CryptoPrevent is a good product for small businesses to aid in resisting ransomware (and there is a free version.) It coexists nicely with the normal AM like Vipre or BitDefender. And for clients that have gateways with malware scanning support, it is usually Kaspersky or Sophos AM scanners.

No AMs can stop the latest exploits immediately, there's a reaction curve.
The problem is the users. Specifically users being duped into doing something they shouldn't. That is the #1 cause of problems and it's hard to get people to stop clicking on attachments, advertisements, fake update pop-ups etc. So, we try to block all of that stuff. For every solution there is a reaction from the bad guys and the circle continues. I insist on popup blockers in browsers - currently I install AdBlockPlus on all browsers because it is the only free solution I know of that works easily, and supports IE, FF and Chrome. (Most of my client base still have to use IE for some websites.)

Also mail filtering is SO important. Currently mail filters should remove any attachment with embedded javascript as that is the latest attack vector of ransomware exploits. And it needs to strip the, by now, run of the mill fake UPS or FedEx email with the infected attachments that have been duping people for decades.

But the biggest thing people need to have is disconnected backup. Sticking an external drive onto a PC, backing up to it every day and thinking that will save has been outmoded since the inception of ransomware, encrypting exploits. Anything they can get to now, they encrypt, including external devices, mapped and unmapped networks shares, DropBox/OneDrive/GoogleDrive/SugarSync synchronizations folders (and hence their cloud counterparts). Disconnected backup includes the old rotational backups and/or true cloud backup solutions. 

Prevention is much less expensive than reactionary remediation.

I still get a lot of PCs to clean up for people that aren't my RMS clients.
They come in with all sorts of "security" programs installed and mostly ignored. Hence my attitude towards "free" security solutions. They're only free until I have to get the PC ;-)



More information about the dba-Tech mailing list