Slashdot Mirror
University IT Departments and Viruses?
"[It should be noted that] the Norton server allows you to view the entire directory structure of someone's machine and allows you to see the files it is scanning as if it were your own machine. We realize this was designed more for companies and businesses, but we have found that viruses have become a major problem and give us a huge headache when we try to support all the students connected to the university network.
My question is what do other university IT departments do in response to the increase in viruses over the past 2 years. I know there are a lot of university IT employees in the Slashdot community and I look forward to getting some feedback as to how they go about doing this without causing too many privacy problems. The way we are looking at it, and we are very privacy concerned and wouldn't do anything malicious with it, is that the students are using our network under our regulations and as long as we don't use the software to 'check up on' the contents of someone's hard drive (except obviously for viruses), then what we are doing is completely legit.
Any feedback would be greatly appreciated."
Boot from bootable CDROM with the drives sealed inside the machine. Read only media can never get infected. Or net boot all machines. Linux can do this. They you deinfect machines (infeced in RAM only) by rebooting them. With net booting you can patch your boot image with security fixes and then just reboot all machines to clean them. I know that Win 3.1/WFW can boot from read-only media too. Can 95/98/ME? Or NT?
Easiest thing in the world. Install vmware. Make one image of win9x. Shove it out to all your linux/vmware boxes. Configure it so that it doesn't save any writes.
You got virus?
Reboot. Virus gone. Also removes the problems of illegal software, drivers, etc etc.
In other words, students were held financially accountable for their actions. In effect, there was something like self-insurance by each student for damages they might cause.
What if a similar approach were taken with student (and faculty) systems?
Ooh yah, that's a GREAT idea.
University Official: "Well, sez 'ere you made a call to the Help Desk a few days after you got here."
Student: "Yah, I wanted to know where I could download a new BIOS for my machine, the USB controller was acting up."
University Official: (eyes narrow) "So you had a problem with your computer, eh? Well, you know, computer problems are caused by viruses, and if you had a problem it means you had a virus. And you're financially responsible for having viruses on your computer! University policy, you know. That'll be nine hundred dollars, please."
A guy goes to the doctor complaining of eye pain. "Doctor, it hurts when I stick my finger in my eye like this...Ouch!" The doc says "Ah hah! I see the problem. Don't stick your finger in your eye." "I'm cured!" says the patient. He heads home feeling much better. The very next day while sitting at his computer the patient, once again, (sigh) sticks his finger in his eye. "Ouch!" A guy goes to the doctor complaining of eye.....
I work with the mail systems for a major ISP, and 6 months ago I installed TrendMicro's VirusWall for our Business System. I have two Compaq DL 360's running RedHat 6.2 scanning inbound and outbound emails for our largest customer, 20,000 mail accounts. And I must say it works great! Anna was stopped dead in it's tracks-- which is more than I can say for our Corporate servers, which they had to shutdown. To date, I haven't had any problems and/or issues. And I don't have any manintenane concerns at all (stopping and starting services, checking memory, high loads, and the oh so critical updating of virus patterns,etc.). Trend has solutions for Web, FTP, and Sendmail. You might want to look into it. It's one system I'm happy to SA for.
If you are concerned about platform support, or the users turning off their software; scan before the data gets to their desktop.
;-) if you do that use Trend).
I wouldn't recommend Norton for this though; Norton was designed for the desktop and their server products are "lacking" compared to competitors. The two I've had the best experiece with are Trend Micro's Interscan Virus Wall or Aladdin's eSafe. My personal preference is for Aladdin's eSafe (as long as you don't tie it into Checkpoint's firewall
From what I've seen Aladdin's product holds up best under high stress using the same hardware; they don't have to operate as a proxy like Trend. Both of these companies started at the gateway, so their desktop product generally sucks compared to Norton.
Trend's desktop is the usual anti-virus scanning program; Aladdin's is a personal firewall and content checking program (uses SurfCONTROL for the URL list).
If you have any questions about the two drop me a line at "wpierce at athenasecurity dot com".
Wayne
--
Each machine, may it be Mac, NT, or Sun, on boot connects up either with an AFS server (NT/Sun) or AppleTalk server, and pulls a Makefile (the process is similar on the Macs). The Makefile is checked/run and files are replaced as need be. This includes McAffee Virus Shield patterns!!!
--
WolfSkunks for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.keenspace.com";
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Frankly, the technically easiest solution is to use operating systems that are not susceptible to viruses. People who insist on using inferior systems may do so, but may not attach to the network. Good luck implementing this, though; the people who set policy are all on the take from Microsoft.
Our company filters emails on content and doesn't allow any HTML type messages that look like they contain scripting.
It's kind of annoying, though. I subscribe to a number of development email lists and a large portion of the content is whacked by the anti-virus software.
I basically have to get around it by using a different mail account like hotmail.com.
I would recommend that you pose this question on a security mailing list that sans.org runs specifically for University Systems Administrators. Send an email with "subscribe unisog" in the body (not the subject) to majordomo@sans.org to subscribe.
"Tell em, don't open mail from people you don't know"... have you actually looked at the majority of viruses that have come out over the past 3 years? Viruses these days are more likely to come from people you know, making this piece of advice laughable.
Since we installed it, we've had only one virus problem, and it was a sneaker-net transimitted one.
The wheel is turning but the hamster is dead.
The wheel is turning, but the hamster is dead.
Since everyone seems to be beating the dead horse of installing software on student boxes, I figured I'd interject some real-life experience with NAV Corporate.
.NET and features people don't need/want, never focus on fixing bugs that are already there.
Ah, good ol' NAV Corporate. I just rolled out a hundred user license of that thing at my employer, only had three hiccups so far which are solved by an update. Unfortunately two of those three have fscked up their systems so badly not only will the update fail but the old version won't uninstall. That's right Bill, keep blathering about
One thing to remember is that the product isn't a modified version of Symantec's NAV codebase, it's really Intel's LANDesk virus protection software. Intel sold it a while back to Symantec, and they modified it and released it as their own. Sounds like a bastard child but with 7.5 it's pretty close to NAV in terms of problems/solutions. Registry keys are still listed as Intel LANDesk, heh.
Highs are the virus definitions coming to a central server and getting pushed out to secondary servers and all clients automatically, usually within minutes of the update being downloaded. AND without the users ability to cancel the update.
Lows are program updates. First, LiveUpdate doesn't grab program updates, not on the central server, and not on the client boxes.This means you have to call Symantec for updates, which while free for one person does take time (sitting on hold for 1hr). Second, there doesn't appear to be a LiveUpdate-ish method for rolling out program updates. Granted you can use login scripts, etc. for rolling them out but that, to some extent, involves user interaction. When some users reboot several times each week in a vain attempt to avoid the weekly administrative scan ("But I want to use MY system!" It's not your system, it's the company's system, and if you didn't think a coworker loved you that mess a few months ago might've been avoided. Go have some more coffee, it only takes 15 minutes, if you left it alone it'd be DONE by now), even though reboots just start the process over, keeping them out of the picture is a good thing.
Client support is limited to 9x/NT/2000, with NT/2000/Netware support for servers. A Mac client is in the box with 7.5.1 but it won't talk to the central server so it's back the end-user conundrum of the software asking to run LiveUpdate and the user declining to run LiveUpdate ("I just ran that there update three weeks ago! I don't need none of them updates for a while!").
I wouldn't hold your breath for any un*x tie-ins. Then again, my experience with colleges has been that un*x has a small foothold outside of the CIS & technical arenas (at the very least I've met few fresh-from-college marketing/management/legal/etc majors with any lasting un*x experiences)
Moof!
Just remove Outlook from all the machines. That's what will happen soon at my university.
Not a 100% cure but it will eliminate most of the worms going around.
-- Ed Avis ed@membled.com
It's not possible to force people unless you compel them to install something like NAV and then locking it down with scheduled run they are powerless to control. Barring that you should be concerned with blocking the propagation of the malware. Put in mailscanning and mailblocking gateways assuming you support the same mail systems they support. And then put ingress/egree filters on your switches and routers to prevent unknown crud from flowing through whatever ports it wants. Disable the obvious like tftp, r* commands, limit the use of X, limit the use to nfs, udp traffic generally and stamp out fake dns servers. But of course none of this is entirely possible either.
I'm not crazy about viruses spread via Outlook and the rest of MS office either, but between desktop antivirus software with forced updates and antivirus software on the mail servers and, heck, the school's net gateways would trap damn near everything. The little that makes it in via, say, encrypted e-mail on CompSci students' machines, wouldn't get too far as long as students and staff didn't tamper with their desktops' software.
As for "cross-platform", what's missing? The antivirus scanners on the net gateways would trap any worms targeting your Linux box, as long as you aren't receiving it via an encrypted protocol. Windows antivirus software--especially the server stuff--carries pattern files covering not just the zillions of Windows viruses and such, but also the far fewer Mac ones and the dozen or so Unix/Linux ones. And the two targeting PalmOS.
If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network. Do transfers with floppies and Zip disks. It's not your network, and you have no "rights" with regard to it.
One of the most overhyped issues of IT today is virii. I have downloaded countless programs from the internet and only once had a virus install.
Until we installed a virus checker at my old workplace, we were inundated with macroviruses in Word documents - many of them from our clients (large, hopefully professional companies who shall remain nameless).
We were lucky. All these tended to corrupt were new documents we were writing. This person may not be so lucky.
Also, we all know that half of the students will be installing their own entertainment applications. It's not beyond reason to think that one may pick up a bug. Heck, if it's anything like my undergrad days, the students will have already be storing pirated games in secret locations, possibly with the help of moles in the sysadmin office.
Word macro viruses would be my main worry, though. These are _endemic_ to all Windows environments I've run across that exchange documents with the outside world.
I'm assuming that your first priority is protecting machines administered by the university. Students' personal machines are probably beyond the coverage of university site licenses, and 90% or more of the students will either ignore administrative requests, or spend 5 minutes trying to figure out how to follow them and then give up.
For the Windows network, my best suggestion would be a combination of virus scanning and regular, automated reinstall.
Put virus scanners on all of the machines, as part of their standard installation. If it's Nav, tell it to check incoming file attachments and documents - this is very, very helpful (my old workplace had a problem with macro viruses). You can probably get away with telling it to scan only local drives.
Put another virus scanner on a machine with direct access to all directories on the fileserver. It'll do your sweep of the network drives. You can either create a special NT profile for it that gives it access to all drives, or (failing that) you can run it on the fileserver itself at 4am Sunday morning (not Monday morning, because students will pull all-nighters on Sunday to finish projects due on Monday - I've TAd courses where they regularly did this).
Next, set up the user machines with one of the third-party bootstraps that compares all system files to copies on the network server, removes anything that shouldn't be there, and fixes anything that's changed. This is the only way I know of to really bulletproof Windows, and as far as I can tell, it does work. The version installed on the PCs at my university also wiped the local drives and did a full reinstall weekly. Either tell the users to power off the PCs at the end of the day, or send an admin around to do it at the end of every week.
Needless to say, you should enable boot virus protection in the BIOS. While you're there, you should also force booting from the hard drive first and then password the BIOS, to prevent student shennanigans. This is standard practice at most shared PC installations I've seen.
Re. Macs, you're on your own. This is outside of my experience.
Re. Linux, *BSD, Solaris, etc, you probably don't have much to worry about to the first order. The vast majority of viruses run under Windows. Anything malignant in the user's files should be caught by the sweep of the fileserver. I don't really see what could go wrong in an environment like this, given that the user doesn't have root access.
To make *sure* the user doesn't have root access, set the machine to boot off of the hard drive first and lock down the BIOS, for any *nix-on-PC machines. If you're paranoid, set up a cron job to refresh the machine's configuration from a CVS server nightly or weekly, just in case something goes strange or is tampered with.
If you're really feeling paranoid about *nix terminals, make them all netboot off of the file server, with the local hard drive just being swap space. Keep a close eye on the server's configuration, and you should be fine.
In summary, with a bit of planning, you should be fine under most conditions. Virus-hardening merges naturally with hardening against bit-rot and active attacks by the users.
I work for a consultancy firm. We roll out e-mail virus scanners for our clients, as we saw that the _vast_ majority of virusses infects machines through e-mail. We use qmail + Jason Haar's qmail-scanner, which automatically updates its own datfiles through some scripts we've written. If you are going to do campus-wide scanning, don't forget e-mail (or rather, start with e-mail scanning).
http://ward.vandewege.net/blog/
This is true at VCU (Virginia Commonwealth University) as well -- basically a site license that can be used on any system, be it university or personal student/employee.
Unfortunately, you have to know its there, which many people don't. And it has to be setup properly to auto-scan, and of course with IMAP the email scanning doesn't work...
---------------------------------------------
Recursive: Adj. See Recursive.
Er... why are you asking Slashdot rather than some, er, University IT Departments?
Here at Oxford, things are very decentralised. We have a crack team at the Computing Services (and our own version of CERT, OxCERT) who put emergency blocks on incoming mail if an email virus is doing the rounds (e.g. Kournikova) and manage the firewall between us and JANET, where some well-known and dangerous ports are firewalled out.
However, although we may have a site license for something (Sophos, I think) no-one's forced to use it. People are responsible for their own machines.
Why not just have a policy: "if your machine gets trashed by a virus and you didn't have this installed, we won't help you fix it." but not make it compulsory?
Gerv
That's probably true- i've worked at much larger companies with lotus notes than with exchange. notes always seemed to scale better, too.
however, at least in the securities industry, everyone seems to have exchange these days. I think it has something to do with conservative IT shops that are full of MS-oriented managers, who all view Lotus Notes as some old fringe product that is dying out.
I personally prefer to use a combination of postfix and IMAP, but then again I don't make purchasing or deployment decisions about mail. and god forbid I not have a nice drag-n-drop solution for you to manage your contacts and your calendar!!!
EOM
Scanmail for Exchange or whatever else it is you people use for uni email (I like the other 70-odd percent of corporate america use MS exchange, and it does it's job relatively well.) if you use something else like basic sendmail/smtp stuff they have products for those as well.
Trend Micro's desktop scanning software, no client required; you can either have it scan fileshares (ala NT c$ etc) or have the end user do it from a web page that starts a little java app and scans.
There's other stuff out there but honestly speaking, trend micro's stuff is pretty nice. I had a few probs with scanmail to start but got it sorted and it's worked great (ILOVEYOU and other VBS email stuff dropped dead.) We used to use norton AV (corporate edition) but that is just a complete piece of crap. I dumped it entirely and moved to the (cheaper) trend micro stuff once I scored a demo copy.
In terms of handling multi-OS'es, and yadda yadda yadda... that's why students have to meet a code of conduct and follow the rules. make one of those be that they have to comply with virus updates or scanning, or not have network access to the uni's network. Or, if you don't feel like being so heavy handed, you could offer supported AV platforms for different architectures and then support installing and updating them- say, emailing SARC updates instead of pushing them down, or whatever. I suppose that would depend on how fascist you want to be- I personally would lock down all computers that the uni owns, but personal machines would just have to meet the criteria that is set out in the usage policy (properly updated AV software that, if you want, we'll help you to install and keep updated.)
Anyhow, you need to take some hard steps at first to keep it in check, and then that makes it easier later.... good luck!
EOM
what happens on student's personal machines any of the University's business?
Also, how is it a risk? What kind of viruses are you afraid of here, exactly?
I put together the Mac part of Miami U's network client CD, and both the Mac and PC distributions feature NAI's anti-virus software installers. We sell this CD at the university bookstore and distribute it for free to all on-campus residents. The installers and documentation highly recommend installing anti-virus software, but it is not technically or policy-wise mandatory. The NAI workstation software may be configured to periodically download newer versions of itself, but it does not report back any findings to a central server.
I'm also serving on Miami's committee to review responses to a university-wide email server RFP. Server-based anti-virus software was listed in our RFP as a strong preference. Most vendors included with their proposals referrals to third party anti-virus filters that could be shimmed into their email solutions.
I have also recommended that we investigate a virus filter for our Internet borders, and I think my suggestion was taken seriously. The biggest speedbump down that road, I imagine, is going to be funding. Border filters are not cheap.
Finally, I can say that our Support Desk has had an explosion in virus-related calls over the last few years. I believe I heard one of the SD managers say that viruses are now their biggest source of calls.
I too work at a University (if you read my e-mail address you can guess which one). We use Norton Antivirus as much as possible. We use Ghost and Assimilator on all new machines for Faculty and Staff, including Norton Antivirus. For the Students we produce a software CD every year, cross platform with Stuffit Installer Maker and Install Shield. It includes a variety of software, mostly Internet focused, including Norton Antivirus. We offer an obvious link to download the installer off of our ITS web page. But when it comes to automatic updates, we decided against it. It isn't our responsibility to protect users from their own mistakes. We can only show them the path, but they must walk it. We do what we can, including making sure that Norton will alert users when definitions are out of date, preconfiguring it to monitor opened files, and to run periodic full scans. We warn users via e-mail every time we see an outbreak of a new virus. We even try to filter some things (like kournikova) at the server level. We also provide complete and total support for those who have been afflicted with a virus. We provide network space and instructions so people can avoid floppy disks. We clean our own computers daily, to restrict the spread in public areas. We have a full service centralized Help Desk just for students (one of the top 5 amongst universities) . But we can't tell users how they can or can't use their computers. Generally speaking, we find it works. Most people desire to receive a virus about as much as you or I do, i.e., not at all. They do their part, provided they know how. So we focus on educating the users, providing the tools, and showing the way. We're confident that when our students go out into the corporate world they'll be able to update their own virus definitions, rather than blindly assuming that their corporate IS department will hold their hands and coddle them and make it so they never have to know anything by doing all the work for them. Users aren't that dumb, they just need to be shown the way.
"Is this not a rare fellow, my lord? He's as good at any thing, and yet a fool." -from "As You Like It", Act 5,
I was going to flame you and say that there are enough legitimate reasons to send around exe's in a University envrionment that your suggestion would be intrusive. But, upon further consideration, anybody who was sending an executable for a letitimate reason is probablly l337 enough to zip it anyway :)
Slashdot 's editors are dickheads
Good idea. Few problems (NB I'm not slaggin the whole thing, just picking a few nits)
First, I wouldn't put it past the average university to blame students even if the latest update of the officially proscribed anti-viral software is installed and properly running.
Second, damage deposits are usually the property of the person who makes the deposit. So is the interest.
Despite the obvious signing of waivers, other students could claim that the university is responsible for their computers' safety should various protections be required.
Faculty will never agree to anything that may endanger their funding. No way, no how. University IT dept's are the faculties' collective 'beeyatch'.
Scan my ports, I DoS you. Deal with it. (I don't, but someone would.)
A few things to answer, but not a bad idea.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
I imagine that the University would take care of the Red Hat machines in much the way they would take care of the Mac OS machines: Not on My Network!
Jesus was all right but his disciples were thick and ordinary. -John Lennon
most viruses today are propogated via e-mail... there are plugins that will allow you to scan mail for viruses -- such as Virus Wall; thats what my organization uses, and it stops virtually 98% of the viruses that come in, the other 2% are picked up by McAfee VirusScan.
I'd suggest you look into implementing some solution like that prior to imposing your anti-virus policies on the university as a whole. Oh, and furthermore, what about folks who aren't using Windows on your network? What do they have to do?
-C
"This above all, to thine own self be true"
and we are using norton antivirus corporate edition on all of the university-owned computers (we don't have the live-update/management server up and running yet, but we will have one in a month or so). we haven't had any virus problems on the Winnt machines here since we started putting corporate edition on a year ago, and we have the software set to liveupdate itself every friday night at 8:00pm (and then run a scan of the entire computer 30 minutes later). the nice thing about corporate edition is that there is 'realtime filesystem protection' running all of the time, so any file-related activity that goes on is scanned (eg: copying/moving/downloading/opening files). this applies to the computers in our student-access labs as well. as for the student machines, does your site-license extend to their computers? if not, then they are obviously on their own; if it does, then i would prepare instructions on installing the corporate edition in an unmanaged state (not centrally managed, no remote filesystem access: no privacy issues), and include instructions on either how to run liveupdate themselves, or to set liveupdate to run once a week automatically. an advantage for the students of installing an unmanaged corporate edition client and settting the liveupdate to run weekly is that there are no subscription issues, like there is with the retail version of nav (so when they move off-campus, they still have a virus-scanner that works, and is updatable without them having to pay for subscriptions). good luck!
wally
Rubbish, absolute rubbish. The problem is people *EXECUTING* unknown scripts or executables. Sending data files backwards and forwards is fine.
dave
For university networks, the biggest problem are obviously pesky email viruses. The best solution I've seen is to have the university mail servers filter out all executable or .vbs email attachments.
Nortan antivirus is a perk, but I don't think it should be required on everyone's system. (For obvious reasons.)
-Gwizdak.
--
It's trivial to filter for viruses embedded in other formats. All you have to do is process the message in stages. That's what I'm doing right now with a tool that scans NNTP feeds for "hijack" scripts. The walking dead might be using %nn encoding of HTML within uuencoded blocks, but my software peels the layers of the onion and still pulls out their "
As for the inconvenience and extra work, that is not what happens in practice. A standard notice that an attached executable (or HTML containing scripts or whatever) has been deleted suffices. Alternately, some products put the attachments into a "holding area" which requires explicit actions to retrieve, but I don't think they're actually used that much in practice.
I have a very hard time imagining even one user in 1000 preferring to lose internet connectivity once a month or so, as the University struggles with a viral infection, to being forced to use FTP or a different encoding to receive that rare legitimate executable image.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Let's see...
1) Viruses can consume significant network resources as the propogate from machine to machine. Since students will usually have professors and other students high in their address book, you'll have combinatorical explosion. Alice infects Bob. Bob infects Carl. Carl tries to infect Alice. Carl infects Diane. Diane tries to infect Alice.
2) Viruses often contain DDoS code. The university, being responsible netizens, will block the forged IP packets... but a large number of infected systems can still generate enough traffic to take down its network.
3) Viruses often contain code to implement packet sniffing. Universities are notorious for old coo... esteemed professors who don't understand that security issues affect them as well. An infected system may allow access to systems essential to ongoing research.
None of this should be viewed as a concession that the university has the right to inspect the student's computer "at will." It does, however, have a legitimate interest in taking reasonable efforts to ensure that these systems remain uninfected.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network."... It's not your network, and you have no "rights" with regard to it."
In the US, there's this little thing known as the ECPA. You *do* have rights, some hefty ones, online. The only reason employers can monitor employee's (work) email is because it's legally addressed to the company but delivered to the person who is acting on behalf of the company. That argument might work with university employees, but not students.
To answer the obvious question, the ECPA allows filtering for technical reasons, if it's something that can be done without exposing the content of the mail to any person. The classic example is rejecting mail that's larger than some acceptable limit, or in an unsupported format. Automatically identifying and stripping blocks of executable code would seem to fall in the same category. Forwarding messages containing "prohibited words" to a human censor is not.
(IANAL, but this has been the law for many years.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Back in '87 when I was in school, one of the other guys in the department was finding virus that he turned into companiens like Norton for $50 each. He "found" quite a number of them since he know how to code in assembly. Now that anti-virus software has made it so big, there are a number of small players tring to get in the game and some of them are still paying for unknow virii.
So get out that book on assembly and start cracking. There's money to be made all in the name of paranoia.
At the university I work at, we use Command AntiVirus for the entire campus. We chose this over Norton's offering mostly for cost reasons (It has basically the same level of protection, but is pretty cheap). We have a site/blanket license where any computer on campus can have the software installed. It was very easy to configure the software to automatically download virus definition updates from our local Linux box rather than from Command, and automate the server to download the updates from Command every week (Our outgoing pipe isn't fat enough to support five thousand software updates every day). We started doing this about two years ago when we got an unexpected rash of Chernobyl infections and spent a week replacing motherboards, and we haven't had any problems at all with the setup.
Build your own hardware (incompatible with existing architectures), write your own operating system (do *not* conform to any standard), write your own language (keep it totally incompatible with C, Perl, etc.) and write your own apps with that. And write that in a bloated and complicated manner. Strip all comments. And if you want to write man pages, write them in your own language, don't use english.
That way, if you ever have a virus on your campus, you can be sure that *YOU* wrote it.
{{.sig}}
Use optical fiber, not ethernet. Because virii live in the dark.
{{.sig}}
The organisation I work for solved this very simply. The majority of "viruses" we see these days are in fact worms that exploit faults in peoples email software. The way we solved this was to BAN Microsoft Outlook (or Outlook Express), and its variations. By switching to Netscape as the SOA mail handler we ensured that all attachments that were sent provided all of their information (rather than disguising themselves as something else), and that they were not auto executed.
I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well.
Why is it the job of the University to ensure student machines are virus free? I completely understand using something like this for Department machines, Computer Labs, etc, but a machine in a dorm room is not the property of the school and should not be treated as such. Viruses are part of the computer experience and students should take charge themselves.
MAILDIR=/var/spool/mail
LOGFILE=/var/log/procmail
##vbs
:0B
*filename=.*.vbs
junk
I have been using this for months. I don't even worry about these new vbs files. This recipe forwards all vbs files to junk@yourserver
Hope this saves you some time.
Mike.
--Ask a silly person, get a silly answer.
In addition, here are some options that show up on a scan of the FreeBSD ports system.
Although I understand the problem you are facing, I think you're trying to do too much. You'd be farther ahead to double the efforts on the University servers, and let the students look after themselves.
After all, it is the students decision to plug into the network, and the student's decision to double click the stupid attachments. Let them pay the consequences.
The IT department of a University should be responsible for at MOST the connectivity of student machines, not the integrity.
That said, try filtering mail for the common stupid attachments, and beef up the security provisions on any university boxen.
-Ben
Say what you mean, mean what you say! But please know what #$@% you are talking about!
Uh, isn't port-scanning illegal?
"We started doing this about two years ago when we got an unexpected rash of Chernobyl infections and spent a week replacing motherboards".
:-)
Jeeze... and you wonder why it costs what it does to get an education today. Might as well throw the baby out with that dirty bathwater
Down here we just burn new bios, insert and we're done.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
TrendMicro has a product that is an email gateway as well as an http proxy type thing and an ftp proxy type thing. These could help you keep the students from getting any viruses by making all students go through these gateways.
Actually the school I attend does this on windows 9x machines fairly well. They use norton ghost, which can make a disk image from one computer, and then the program can "ghost" all (or selected) computers on the network, which basically just loads the disk image onto them. It's a pretty effective solution.
Seeing as how most colleges now mandate that all incoming freshmen must have a computer, the most sensible thing to do would be to mandate a computer security principles course in the first semester. Topics covered should include virusses and how they spread, E-mail hoaxes, physical security and protecting university assets, and miscellaneous other. It would have helped a lot even back when I was in college and the big security breach was the VM Christmas Card program.
You shouldn't stop with education either. Plan on having your lab systems hit because they will be, and have a good backup policy in place. Set them up so you can just ghost or DD a hard drive image off the network. Have your E-Mail servers eat attachments that come from outside campus. Have your servers run in an environment of paranoia. Keep logs on a write-only file system (An old line printer is often enough.) Make security a policy rather than an end-goal and your systems will remain secure enough while also remaining usable.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Another vital part of Safe Hex is education. Now I know this is a controvertial subject among a lot of people (They should learn to do it on their own! They deserve to get a virus if they're doing immoral things like downloading warez or live goat porn!) but if you actually EDUCATE people about what's safe and what's not, you'll see a massive drop in the number of HTDs (Hexidecimally Transmitted Diseases) on your campus.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I don't know how you have it set up, but at the datacenter I work at, NAV gets installed automatically on all new machines. Norton has to be the worst enterprise virus protection scheme out there. Many a day a machine will crap out and we go up to it to see Norton running a scan in the middle of the day, even though it was told to do it at night. Oh, and then there was the time Norton updated itself and happened to install a DLL file that wasnt compatible with NT's virtual DOS machine. Wanna talk fun? Imagine 550 machine ground to a halt with a never ending array of "16 bit subsystem" error windows. I seriously research other solutions, from what I've seen these days, most companies are pretty hurt for sales and we get to try all the newest stuff for free. Maybe you can setup NAV to work right, we couldnt. Like I said, shop around. Don't get screwed like we did.
----------------------------------
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
It can be tricky getting your userbase all runnning the same thing. Even in a corporate environment like mine, where we have policies in place that we make people sign saying "we reserve the right to fire you if you uninstall your AV" it still happens.
The approach I'd suggest is:
* Identify the way virii are getting in and concentrate efforts there. These days, that means the e-mail servers.
* Identify storage areas and say "what you put on here, my people will protect. We'll back it up and scan it for virii. If your disseration is valuable, put a copy of it here."
* Make AV software available to users either free or at low cost. Promo campaigns to explain why it is a good idea.
* And finally, since it's Slashdot: deprecate Windows OS's, and promote Linux, FreeBSD, MacOS et al. because no-one bothers to write viruses for non-wintel yet. (I know, I know, there are some. But I see 12 entries for Linux in McAfee's AV library, out of 50,000)
~~~~~ BigLig2? You mean there's another one of me?
Kaspersky antivirus (http://www.avp.ru) has unix versions. I'm running one under BSDI 4.0.1 and it works ok, catching everything so far. It works with sendmail, so viruses do not even go into mailbox and cron job fetches daily updates.
Now I wish I was permitted to remove all floppy drives across the company...
Latin is a language, as dead as it can be.
First it killed the Romans, and now it's killing me.
I am a student at Penn State and I work for Rescom which is a group of tech-interested students who others can come to (free) if they have computer trouble. Viruses are by far the most common thing that we have to deal with. In the interest of privacy the University does not filter emails or attachments, so there's a danger that students will get viruses, but whenever we remove a virus we tell students to get a virus scanner and to keep it updated. It seems like people listen when a human being tells them to get virus protection instead of just a web page. Of course no matter what we say not everyone will get scanners, and if there is a new virus it still takes a little while before the scanner-makers will release an update. We actually wrote one virus fix ourselves for Romeo and Juliet becuase it happened to hit Penn State very hard and we couldn't wait for anyone else to come up with a fix. Do any other schools out there offer free tech support like this? It seems to work pretty well for us.
Here at the University of Texas at Austin - Red McCombs School of Business we use InoculatIT. It is a great program. Everything is automated. We set up a server to pull the updated infomation from the web and then set the clients to look for that server. We use Active Directory to push the client out to the client computers and to make sure that the lab machines and all notebooks keep it installed. The personal machines can uninstall the software if they choose.
We have been very happy with the performance of this software. If you have any questions about it please email me at Benton.Wink@Bus.UTexas.edu .------ This has been provided as a public service! ------
What I do, is keep norton on all my (windows)machines -- it has a pop3 mail scanner (that always ends up fucking up, but its better then getting a virus).
Second, Perform weekly scans of machines and nightly scans of home directories ( through a smb share ).
Third, Procmail is your friend. I'll admit I haven't done it yet, but (when I get a free moment) I plan to write a procmail script to delete vbs attachments (*.vbs) and rename exes etc to *.e_xe in users mail ... theres no reason on earth anyone needs to send anyone a vbs attachment -- and by renaming all executables, people must explictly choose to rename the file to be able to run it.
Lastly, you must educate your users ... Tell em, don't open mail from people you don't know, don't run EXE's you didn't compile or I didn't install :) Theres some idiots who think they know stuff who will never follow your directions, but mostly, people will.
These steps will keep you from getting 99.9% of viruses ... now you have to figure out how to keep your users from installing that f***ing comet cursor :)
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
This sounds like an ideal place to do what everyone here likes to complain about: Support Windows, and only Windows.
In other words, draw up a list of software (Windows 2000, Office 2000, Norton Antivirus, etc.) which constitutes the "standard university computer"; if you're running a "standard university computer", you'll get (limited) support with it. If you install something like Linux, FreeBSD, or Mach-running-under-VMware-under-OpenBSD, *you are assumed to be able to take care of yourself*.
Tarsnap: Online backups for the truly paranoid
I can't agree with the viewpoint that using the University network gives legitimate rights to access the students' hard drives. I don't think for a moment that you mean to use the access maliciously, but there are places that one doesn't go in order to avoid even the appearance of impropriety. To try the usual argument by analogy: the students go to class all day in University-owned buildings under University regulation. That does not give rights to the the University to inspect the contents of every (or any!) student's wallet as they traverse the campus, however non-malicious the intent of the search.
True, but they already have the AOL virus on their computer. Seriously, any program that messes with network settings, etc. is a virus in my opinion.
-----------------
Ceci n'est pas une sig.
At the school I attend, we simply site-license Norton Corporate Edition for all the students, and let them take care of themselves. The University tries to keep students abreast of what viruses are currently going around, but in general, we have to fend for ourselves. I think the best policy is to set up some system for University-owned machines, probably with Norton or some other virus protection software, and then site-license Norton for the students. If they dont' want to download it, it's their problem. But the protection is there if they want it. That way the University is certainly helping the students protect themselves, but also isn't taking on the headache of trying to actually protect the students.
"Is it a miracle that curiousity survives formal education." - Albert Einstein
I think it's a great idea to install Norton Antivirus. If I were at that University, I would gladly install it on my arcade-mode Windows 95 boot. (But then again, I don't trust anything personal to Windblowz.)
But don't force anyone to install the software, or disallow alternate operating systems. I would sooner take my computer back home and use good old pencil and paper than be forced to use Windblows.
Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
Vintage computer games and RPG books available. Email me if you're interested.
The only thing worse than having no virus protection is having inadequate virus protection that gives users a false sense of security. Besides, if there's no updates, traffic will be minimal. :-)
I'd say every week at a minimum. Find out when your provider puts out their 'scheduled' releases (Trend, for example, is every Tuesday, IIRC) and do it then.
Vintage computer games and RPG books available. Email me if you're interested.
I have downloaded countless programs from the internet...who are these people that run untrusted executables?
Either you download all those programs from the internet and never run them or you are one of those people that run untrusted executables
You can't even necessarially trust "trusted" programs. Weren't you paying attention when MS posted a virus infected files or when HP distributed infected drivers
--
--
You nah, me nah. Screw you guys, I'm going home.
---=-=-=-=-=-=---
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I'm a first year undergrad EE at UCLA. I can tell you that here, a vast majority of the students use Windows, but among those, there is a fairly even spread among the various flavors. I thought that this mass searching for infected files only worked on NT based machines. Maybe not?
I had an interesting time setting up the two boxes that are currently running in my dorm. One is Win2k, and the other is Redhat 7.1 There's a very specific set of instructions here about which set of protocals and settings to use to connect a Windows machine to the campus network. For Linux, no help is offered. It's as if the people in the Student Technology Center who run the network don't want students using Linux. It turned out to be easier to set up the Redhat box for network use, though! They seem to boot me off the network every few days, though, just for running apache with a couple of text files.
If the university's computer system is at risk because some student administrated computers have viruses, then the university's computer system is too vulnerable, and should be fixed.
I am not a lawyer, and I know the Constitution isn't 100% in force these days, so the above is likely wrong.
Just because it CAN be done, doesn't mean it should!
In a cross platform world about the only thing you can do limit exposure is to provide students with a good non-Outlook mail client. That'll eliminate a lot of virus exposure. In terms of the software, the University of Michigan has a licenses for McAfee and on PC and Mac. The strategy they use with students and staff is education and encouragement. I dunno how well this works tho. Ironically, staff gets bitten by Outlook propagated virus more than the students do because the student accounts rely on pine over telnet for email access.
Geez. Most college students pay for tuition, books, housing, liqour, etc and now more money should be slapped on if they have a computer? Me thinks many students would forgo the whole expense of a computer and instead spend the money on booze. At least getting caught with liqour is cheaper than having a virus under this plan.
Everytime you look at porn a devil gets their horns.
do this
1. make the software valitary, people love free stuff.
2. Disclose to them your Problem with the sotware
3. MASSIVE PR move about viruses, notes on all of IS web pages, E-mail newsletter, print information
4. Antivirus software on all collage computers as standard, but alow it to be removed.
5. set in place a system to contact comptuer users
if a virus strikes the network, i.e. E-mail alert or notice on a big webpage.
6. MASSIVE PR move to change the Defult settings in IE to make it stop VBS files.
7. and finaly keep everyone updated, knowlage is not only power but motavation, if they know whats going on people can get involved.
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
I was browsing the reply's for this post! I'm surprised it is posted so late.
MacAffee (and most other REAL virusscanner) are cross-platform, silent and automatically updateble.
On my work I've installed MacAffee on the (Linux-)virusscanner in combination with Amavis (http:/www.amavis.org I thought) that intercepts all infected mail messages and updates itself automatically (via cron of course) every month.
(-% TwistedMind %-)
Actually not :-)
I didn't want to waste internet bandwith, for virus-paranoia.
(-% TwistedMind %-)
I was thinking about university's computers for student in the university. Students shouldn't install programs themself there.
It's possible to install programs/plugins under an useraccount with Unix, and with Windows 2000 that's somehow possible too.
Of course for the computers that students own themself on the campus, it doesn't matter what they do.
(-% TwistedMind %-)
Why not use this fabulous program against itself! Distribute VBS files that automagically update your NAV / McAfee for you ;). This is the perfect defense against virii. The only people who will actually run these are the people who will be affected by VBS virii anyways, so you are curing them in a round about way.
Instead, explain to the students that they are responsible for files downloaded from their computer. When a virus is found, post the name of the computer and the infected files and impose a penalty (loss of network connection) for the offender. That's the only thing you as a University have the right to do; these aren't your machines you're talking about. If I were in a dorm situation and the local BOFH handed me a cdrom and said, "Here, install this," I'd be just a tiny bit leery. From the student's point of view, who's to say that the AV kit won't also contain a nice suite of spyware progs?
Okay, you can call me paranoid now.
There's no way I'd install software that would let those people have access to my directory structure, even if it is supposed to keep me virus free. I consider it an invasion of privacy, not to mention the fact that most of the university tech support I've encountered is one step up from a coma patient on the intelligence scale. I spent 4 years at university and never had a virus infect my machine...although I did have to help loads of people after that damn chernoble virus kicked in at exam time, but that's what they get for not making backups.
I'd say your best bet is a preventative program focused on the mail server itself (scanning for certain file attachment extentions, blocking mass-mailings, etc) along with a quick user-education program to let people know that they shouldnt run certain attachments (.js and .vbs especially).
As long as the little script-kiddies can get away with writing these stupid little viruses theres just going to be more and more of them. I'm praying for a magic-bullet that will prevent them from being forwarded in the first place.
It can be a bitch weeding them out.
The same network drive was the source of all our outbreaks. That being one that all students and faculty had access to. Clean it, and someone brings the copy they had on a floppy disk somewhere.
I don't suppose my teaching everyone who lost a paper to a bad floppy how to use FTP really helped.
Which I am sure is just how Norton and McAffee like it.
Keep awareness high by having lots of people scanning for viruses out there, and keep a great big reservior in which they can survive to keep popping up again on the drives of people who care.
They could coast for YEARS even if no one ever wrote another virus.
Deep freeze. Its a great program. It used to be that our lab machines lasted about a week before being totally trashed. I haven't had a single machine trashed with this installed. What it does is reset any changes made to the system when you hit reset, unless a password had been entered on boot. This also has the advantage of gaurding against viruses, and its rather transparent too. www.deepfreezecanada.com or www.deepfreezeusa.com or www.winselect.com.
SSL Certificate
I've been after the sysadmin dept. for a while for them simply to block all attachments ending in .exe and .vbs (probably a few others which need to be filtered as well). This would prevent a majority of the nasty viruses which break out and spread quickly, like Melissa.
They won't do it, ostensibly because people legitimately need to send .exe's to each other?!? My argument is that even with Norton scanning for viruses on the server, we've had two major outbreaks where Norton did not catch it.
My advice: kill all executable attachments before they're delivered. While this really only helps with an OS that relies on file-name extensions (i.e. Windows), that's where the majority of virii are. Use a commercial virus scanner as a back-up to filter out other virii, e.g. Word macro viruses and the like.
Be ot or bot ne ot, taht is the nestquoi.
They aren't restricting speech, they are restricting the mechanism of speech. So if I can't use a bullhorn in your neighborhood at 2 AM, I can sue you because you are restricting my speech?
/. or Geocities ...
You can still say it on Usenet or
Gaudeamus igatur, iuvenes dum sumus...
Unless there is a pun that eludes me, I think the correct text is "Gaudeamus igitur...".
Ok I'll bite.
Ok in RedHat linuxconf edits all your config files and changes your settings, however SuSEconfig that really screws with things. Luckily you can turn that off. Now being vi is a text editior its hard to argue that you can inadvertently change your settings with it unles you don't know how to set up the config file your editing. Btw any damage you do with ifconfig can regardless of your unix knowledge be fixed with an uptime killing assuming ti was working in the first place.
--- Justin Dearing http://www.justaprogrammer.net/ We're just programmers.
Yeah I'm sick of those programs that keep messing with my settings. Like linuxconf, ifconfig, ipchains, netconfig and vi. Does anyone have a virus scanner that can get rid of these damnable programs?
Enigma
Enigma
Due to a fear of virii and 'hackers' (and the fact that this was a "trained-monkey" MS admin), there was to be no remote ftp access to the server - not even for professors! Basically, I had to build the Db and front end, then burn it onto a CD and walk it across campus to the Biology building, and hand it to the admin.
Of course, there were some small bugs to be squashed. At least he let me email him the fixes.
I'd rather have someone respond than be modded up.
A number of years ago I bought my first pc due to the college's lack of virus protect causing loss of data. Since then I have gone on to work on the corporate world in the IT field. We had mandatory scans of each system and vshield installed on the pc's. that alone wasnt enough. As the nature of viri evolved so did are efforts. we use the lates mcaffee to protect the pc's at user level, netshield to scan the servers, virus protection for the exchange and notes servers to scan all email, and viruswall which is a firewall with dedicated virusscanning purpose (trend-micro). 2 points to make...1)that anyone who plugs in the networks is subject to that networks policies for each others protection. 2)it takes more than one approach to secure an enterprise network from attack.
I am one of the IT administrators in a university.
I should say that preventing a virus attack in any computer in the university will be almost impossible. The only good think is to prevent an outbreak of the virus.
We should look at sources of viruses before we can prevent them. Most common viruses come from downloaded files, e-mail, and sharing through disks.
Currently, we are also using Norton Antivirus for the workstations with Autoprotect enabled (so everything will be scanned as they are run.) Honestly, it is a good program but comes with a hefty price (since we have lots and lots of computers.)
We also limit the amount of access to the workstations. All workstations are installed with Windows 2000 Professional and we use the profiles system to prevent people from installing most files and crashing the system. All of the files of an account (settings, my documents, etc)are stored centrally in our file servers. We can disable an account and prevent further infection of a virus has been reported.
We are in the process of phasing out/restricting the use of floppy drives to prevent outside virus from infecting a computer.
For the e-mail service, we discourage the use of outlook (we try to disable the POP3, IMAP services) and use web based e-mail system(Exchange 2000). At least in an event of a real outbreak, we can immediately shut down the mail services and prevent people from accessing attachments. We also plan of installing an antivirus software together with the e-mail server.
We are equipping our proxy servers (ISA) to be installed with antivirus software. This allows realtime scanning of downloaded files from the Internet if they happen to download any.
Lastly, one method is really education of the users. Since we are an educational institution, we try to educate people the proper use of computers to prevent attacks, viruses, and common problems. Since we also have our own TV/Radio station, it will be much easier for us to give annoucements easily.
Remember, we are serving 30,000 students and around 2,000 in faculty and staff. The number of computers currently being upgraded is around 200. We have around 1500+ more to go.
Sorry to those Linux people, we are using Microsoft products here. But it helps us a lot especially with 30,000 users. Believe me, there are plans to give alumnus accounts for life. The features of Microsoft products are very useful and clustering is very very effective.
Hope this helps you.
johnlaw
:-)
Live your life each day as if it was your last.
Part of your message, software being able to ruin hardware got to me. I was thinking about the easiest hardware to screw up in a machine, and the DVD drive came to mind - changing the region. Anyone heard of a virus that changes your region to something useless, like 6 or 7, repeatedly, until it locks? How many people would be whining about DVDs not playing?
funny munging
The thing is that in these situations, the IT staff are required to support the machines, whether they spill coke on the keyboard, bake it in an oven, or accidentally get subseven on it, the staff is required to fix it. At good, more advanced colleges using the network is mandatory, not a choice. And what if your professor accidentally sends you a Word macro virus? If you are required to use Outlook by the university and email for class, that isn't your fault and you shouldn't have to fix it.
Not all colleges abide by the standards of technical schools so it does no good to try to bury your head in the sand, instead students should be given help with the technology the school makes them use.
Mas vale cholo, que mal acompañado.
I didn't mean that they don't get billed for it, but that it is the responsibility of some schools to provide that level of support. They write the EULAs themselves. I used to work at a university that did offer that much coverage, and if you were faculty or staff you didn't have to pay if you did stupid crap like that. Ultimately the students pick up the bill for everything so it's not a big deal really. The IBM EZ-Serv would get paid for fixing the laptop, the helpdesk and tech staff would get paid, and the student could be irresponsible as long as mommy and daddy's money paid for them. Everyone was happy.
Mas vale cholo, que mal acompañado.
Working for a DoD university, I can tell you that even if you are in charge of all the computers on the network (all software, hardware, and internet usage is monitored) and viri are still a problem if your users are complete idiots. We have weekly and in some cases daily use of virus updates, and yet many users dont use the updates on out site licence. While our being on MS Outlook does not help matters, it never helps when people just blindy open attachments with no knowledge of what is in it.
You best bet is to inform your users of known viri alerts on your webpage, especially your webmail if you have one. Eliminate things such as everyone@yourdomain.edu which are common way of spreading viri. If you are running exchange server block attachments from the server that look like viri and cite the user with an immediate virus warning. And especcialy for central mission cirtical servers use IPSec to its full extent. An authenticated user is a user that you haev accountabiltiy for. No reason to mess up the universities essential equipment because of a dumb user.
In short, you cant prevent user stupidity but you can be ready to deal with them.
Thanks for the thoughtful reply!
First, I wouldn't put it past the average university to blame students even if the latest update of the officially proscribed anti-viral software is installed and properly running.
I would not deny the possibility, but I would hope for better at some universities. Still, I have faith that enough of an uproar would result from such an attempt that the pendulum of reason would swing back towards a more accurate assessment of each "event" and its consequences.
Second, damage deposits are usually the property of the person who makes the deposit. So is the interest.
IANAL, and I'd bet that such rules vary between different jurisdictions, i.e. YMMV. Still, I seem to recall that the last time I rented an apartment, I did receive a FIXED rate of interest on my security deposit, and that rate was a couple percent less than the generally available rate for a deposit at my local bank. So, if the university could get, say, 5% (and I admit that is generous) on top of what they paid out to students, then on a $400 deposit for 9 months would give $400 x .05 x 9/12 = $15 per student per class year.
Hmmm, so if the university does not look then they are not responsible? That would be an interesting wrinkle -- much like the culpability for an AOL: if they monitor chat rooms then there is an expectation that ALL transgressions must be caught.
That leads to the question of what liability does the university have when a student's infected computer infects another? Again, IANAL.
Faculty will never agree to anything that may endanger their funding. No way, no how.
Yes, I expected as much, but it would be a nice symbolic act on the part of the faculty to show their intention to protect the university's assets -- that no one is "above the law". Can you imagine the outcry if student PCs were infected because a prof posted a class syllabus on a class web page, the document happened to have been infected by a Microsoft Word virus, and the prof would not have to face the same consequences that a student would were the roles reversed!
Scan my ports, I DoS you. Deal with it. (I don't, but someone would.)
Hmmmm, I sense an escalation brewing: "you DoS a university machine -- you get suspended. Deal with it." "Oh Yeah? Well, I'll just DDoS YOU with some systems around the world -- let's see you deal with THAT." Not pleasant, agreed.
So the question remains, how to lock down neophytes' installs of, say, RedHat with many wide-open ports? As the original article proposed, the university was willing to get a Norton Anti-Virus site license -- what of similar value and protection would they offer for other popular OSs?
A few things to answer, but not a bad idea.
I took a stab at your questions; thanks your constructive feedback!
Back in the day when I was in college (mainframes and dumb terminals), it was required for each student to fund a breakage account. The funds in the account would be refunded to the student upon graduation (transfer, leaving, etc.) MINUS any damages caused by the students (holes in the dorm room walls, broken windows, etc.) In other words, students were held financially accountable for their actions. In effect, there was something like self-insurance by each student for damages they might cause.
What if a similar approach were taken with student (and faculty) systems? (The following is off the top of my head and likely has some holes in it, but I would hope it would provide a starting point; add or adjust as you see fit.)
Ultimately, nothing is bulletproof, but make the protection readily and easily available, and impose penalties (sticks) on those who choose to not make use of them and provide benefits (carrots) for those who DO use the protection. Some viruses may get through, but the ones you DO catch are that much less to worry about.
Okay, now I'm going to step back and let the /.'ers blow holes in this. :)
We don't care what people do with their own computers, unless they are directly connected to our network. In which case, they're required to have updated AV software installed. All our workstations are running Norton AV, as well as our servers. This catches anything coming in via disk, email, or file transfer. If they have an infected disk then BINGO, they're home system is infected and they need to clean it up. We haven't had a single incident of network infection, yet. Just keep the viruses from getting in. There shouldn't be that many opening you need to watch. Oh, and if you're using Outlook, you might as well quit now...
NC State has a site license for the Norton Antivirus, as well.
I think making a copy of one of the better anti-virus programs freely available is about as far as a school should and could go.
As someone else pointed out, you can't make it a requirement because there are a fair number of non-Windows machines out there. And it's a darn sight better than nothing. At the end of the day, you'll never be perfect, because there are too many idiots with computers (reminds me of idiots with cars, in that respect). But just doing a site license of Norton or McAfee will get you 90% protected with about 75% of the student body, which is about the best you can hope for.
Xentax
You shouldn't verb words.
A valid point.
However, compared to the likes of Microsoft, you have to admit that the virus companies stay at the top of their game, quality and response-wise. Of course, since they might be liable for being anything less (it's a lot easier to see a gross negligence charge against the Virus protection than against the OS or the Office Suite, as bass-ackwards as it seems), they have to stay on top of the threat.
Xentax
You shouldn't verb words.
Virus scanners are nice, but they aren't a solution by themselves. Security is a process, not a state of mind or any single product.
Why not also advise and instruct the students to use a 'personal firewall' like Zone Alarm? The advantages to using a firewall is that the firewall can be set on HIGH and not allow access to rogue trojans.
I like using Zone Alarm on my personal machine at work because I don't want anyone else to be able to read my hard drive heiarchy or test the latest NT/W2K vulernability on my machine.
Encourage protection by multiple means, not just by a single edict.
They required it at my college... in fact they wouldn't connect your port until you delivered your PC to the help desk and they installed NetWare and Norton. They finally, in my last semester, decided to try and let people install their own stuff but you had to buy a cd that auto installed everything, including a version of Norton Corporate with LiveUpdate locked with a key. So now I'm off campus with this copy of Norton I bought and I can't use LiveUpdate. But you still had to sign something saying you had installed it.
Because it's located on _their_ network© Some of these 'viruses' can be used to launch DoS attacks and such©
It's nice to see the school do this as a "perk" for us, and to help everyone stop the spreak of viruses.
antivirus.vt.edu
Both are exit 118...
I'm not terribly up on my av solutions, but considering that 95+ percent of what's on a college student's machine is either a) from a trusted binary (os and 'productivity suite' binaries don't need virus scans) or b) downloaded unencrypted through the u.'s network, wouldn't you think there would be a server-side solution that scans any files being downloaded through it, and which the university could install on a large server (cluster) essentially right before the raw-net connection hits the university network? It's not as good as client-side solutions, esp. with college students compiling downloaded source these days, but it's a helluvalot better than nothing, no? Or am I way off-base?
~
How does this "individual responsibility" strategy translate to keeping the hotseat computers in the student lab free from viruses? Once one user infects a computer, it can be the infection vector for god knows how many other users, and there's no way to track it back to the original user, or recover the files that the virus damages.
If you can do something about the problem--and you can, easily, by just buying some antivrus software--you must. Individual responsibility is hardly a solution in this situation. Sadly, with the state of modern (US) society, individual responsibility is hardly a solution for anything anymore.
The only certainty is entropy.
Considering that most school communications now rely on email and other electronic means, I think our department is doing an outstanding job. We have a help center too. A good friend of mine says the largest portion of issues they get is how to use MS productivity tools, although I'd bet they got quite a bit of calls when the IRC server (which USED to be connected to DALnet) got DDoS'd. If you really want to get people to fight virii, forcing them won't help. Just put out some Press Release type emails about how you want to help, and write up some guidelines, instructions on how to forward mail, etc. Rather than force people to use Norton and "sanctioned hardware" , maybe get a site liscence and encourage people to download it. If your server allows it, write a tutorial on how to filter email, especially things that have .vbs or .exe attachments. Instead of telling people what not to do, help them do things on their own.
I Browse at +4 Flamebait
Open Source Sysadmin
It is quite obvious that most viruses these days are transmitted by people opening e-mail attachments. These people, are morons. Obviously if there is someone you don't know and they want you to download something, it's not good!
I personally think we should take the attachments out of e-mail. I never use e-mail attachments. I have it set not to accept e-mails that have attachments in them. If I want to transfer files I use Hotline, FTP, ICQ, or something that is made for file transfer. E-mail attachments are good for sending jpgs, gifs, and office type documents. why send jpgs and gifs? Either your a perv, or you want to send pictures of your family to relatives. Why send office documents? You are a company. ICQ/AIM are better for sending these types of files anyway. E-mail attachments are obsolete and should be deprecated.
And if anyone says they have to attach code to their e-mail, how come you aren't using CVS? We really don't need e-mail attachments these days. They cause more trouble than good. Let's get rid of them.
The GeekNights podcast is going strong. Listen!
Why are you hard pressed on making students run virus scanners? Most viri only hurt the local machine, and the rest can be solved with a good firewall and e-mail filtering.
;)
But you do not have a right to force students to use any anti virus products, and you also do not have a right to grant/deny network access on the basis of usage of such products.
It's good to want your network to have high uptimes, but, frankly, most network failures are due to failed routers. Also in many University networks there are frequent cable problems. When I was at OSU, it was every other day an intra-campus cable had failed. Now that they're using fiber, it's probably more severe. But seriously, viruses only cause harm in mass, and although an e-mail virus can quickly spread to every person in the school (and their parents, grandparents, etc.) via Outlook, if you have e-mail filters the above said is no problem.
You should by all means encourage students to run virus scanners, because most support requests are local problems. As to the capabilities of the scanners, most do little than perform filename searches and occasionally search a bit of the file. Today's up-start global virus is usually polymorphic, embedding itself in rundll.exe or systray or constantly chuking itself up.
However, for catching things like Sub7, these scanners do work well. That being said, I have never used a commercial virus scanning product and have never had a virus. The only reason commercial virus products are so popular for their limited (null?) functionality is because of hype much associated with blaming something YOU did on an invisible gremlin 'virus' that 'must' be screwing things up.
But for the reckless who fancy accepting file transfers from haxor3llt in IRC, those who frequent warez sites, and those who infect themselves with sub7, they should by all means be forced to use any University-controlled virus software. Unfortunatly, I've just described virturall all college students so it fits perfectly
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
9 out of 10 computer virii writers recomend Norton Antivirus
Amavis works great for email filtering, and can be configured to use a lot of antivirus (yes, there are unix versions of almost all antivirii software. File server anyone?)
Make It Secret . Free JavaScript implementation of AES for your browser
I can't imagine a more skewed way of looking at things. Stifling creativity is not letting a child sing or draw, not telling someone they can't write code that could bring a system to it's knees.
The Server Admin in charge of the POP3 Boxen, refuses to put any email protection in, because he states that 'it's the user's responsibility,' however, the exchange server (*cough*) has an Anti-virus software running.
It's really interesting, because all of the staff use Exchange, whilest the students have to use POP3 for their email...unless you fetch them and have your SMTP software kill all mime-types (gets rid of a lot of them!)
----
Ian
ONU's Finest Computer Sciences Geek
I disable sigs...do you?
In the main computer labs, each computer is ghosted (using norton ghost) at startup. This ensures that every machine is the same everytime and other peoples info is never accessable (ocmputer gets restarted at logout. This solution is adequate but it takes a while to load
In the Information Technology Labs (FIT), the computers are loaded with Windows NT. The computers are configured in such a way that the only directory available for writing is c:\temp, which gets wiped on log out.
The computers come with all the software required, and if the user wishes they can install programs temporarily.
Each person in the FIT gets a computer account assigned on the main server (about 6megs). There they can store anything they want. This is also accessable from outside. The account is also NT shared to S drive.
The other side of the solution is the software. Netscape is used over IE (no arguing it is plain from the statistics which is more secure). Mail is only available from a web based service. Previously Endora was used. Oviously Outlook express is very insecure compared to other mail programs.
Computers not belonging to the university are the students own responsibilty
We have never had a problem with viruses and such. I'm not sure what the acedemics use or on server side protection, but it looks like we have good security. Robert
Given that I have worked for a university that faced this very same issue, I know that this kind of power will lead to abuses. The problem this type of policy causes is that it results in an erosion of trust by faculty, students and staff and the actions they take in response to that loss. I have found most people get upset when they actually learned what was happening. Just wait to a dean or an already upset student finds out they are being watched and it actually processes in their minds. Even file names give away private information. If you have not seen it happen yet, then chances are they have not figured it out yet. One big lawsuit and you will have a whole new problem. Furthermore, I know for a fact that Norton's responses to its server can be faked; many people where I used to work did not want the very abusive IT staff to see anything on their hard drives. They started downloading various hacks for just this purpose not to mention several trojans. You may be creating a greater nightmare by having people willingly installing gateways for hackers. The university was in fact hacked this way when someone the IT center let a keyboard monitoring trojan infect their computer that sent the root password for our servers to them. I left that job because these type of issues began erode every ones' happiness. Do not go down that road. I would suggest that you mandate that in order to connect to the university's system that students must prove that they have a recent anti-virus program or that they use the university's system with a privacy warning. Since all modern anti-virus programs by default offer an Auto-Update feature that should help you problem. As for faculty and staff, I have found that telling them exactly what his happening, why it is necessary and doing it in on the weekend worked fine. They took off anything they did not want looked at and the IT department got to do their scans. Also, I found that asking them to bring me their license of anything special they wanted to have installed that was personal. This allowed them greater flexibility, gave me a proof of their ownership and more assurance it was legit software. Remember, trust is a lot more valuable than hardware or software and a good back-up policy protects information.
Granted, I know that I'm posting a little bit later than usual on this topic, but I felt that the need existed for Mister Jefferson's Academical Institution to be mentioned. .http://www.itc.virginia.edu
True, there is an exit, 118, that let's one off there at one of the medical research centers from I-64, but that is not the point that is not the subject to discuss today.
The University of Virginia used to have Dr. Solomon loaded onto all computers that were in computer labs as well as PCs that students ordered through the bookstore. This practice ended three years ago when all lab computers were loaded with Norton Antivirus, ordered computers still came with Dr. Solomon.
This past year, the IT&C (more commonly known as ITC), purchased a site license for the University to have the Enterprise edition of Norton. All computers in labs and PCs that were bought through the school run this stuff and I definitely will say that the number of virus reports this year is down. The only catch of course is that a lot of lazy students don't give a rip about security and so there are still viruses around. The typical way of handling this is a traceroute where the IP address is blocked. Most students haven't a clue why they're ethernet connection isn't working and call up ITC and ask and then are told to install the Norton software and it's all good. Nonetheless, UVA is definitely big on security this year. I suggest giving them a looksie up. .
I am but mad north-north-west: when the wind is southerly I know a hawk from a handsaw.
- filter email stuff on the server
- have a site license for norton av.
this works adequately, especially given our extremely hands-off approach to computing (e.g. our IT dept practically laughed at the riaa when they sent a non-threatening threat to the univ. president about napster). but why don't we support linux (i'm a tech support guy)? simple. there are just too many variations. some users (i.e. most of the ones who call) require you to tell them step by step where to point and click. how are we to do this when there are a thousand different windowmanagers out there? you may say that these users won't have customized their computers to that extent, but which distribution's standard setup is the one we support? and what about users who have, where do we draw the line? despite what a lot of us would like to believe, its just not simple enough yet, and generally speaking if you're using linux you need to be able to know how to fix it at some basic level. i heard that over at princeton they're trying their hands at supporting just redhat... sounds like a good starting point but we'll see how that works out.Unfortunately, in the past year they have stopped issuing new releases of it, but there are still going to be virus signature updates available. If you can get an older copy, you can get a great, risk-free full-featured antivirus program (pretty much on par with Norton Antivirus).
If your running Exchange and have Norton AV for Exchange, you could try stripping common virus attachments (read: *.vbs) from any messages on the server. If you want help or guidance on how to do this, just let me know: richard@drunkencomputing.com
As a computing advisor for my building my freshman year of college (in charge of about 150 users and their computers) i had to deal with a fair share of viruses. I hold that the best method for any University is just to have educated staff to deal with virus issues for the students, but overall, leave it up to the students to maintain their computers. We had a site license for NAV, and many people were able to use it 95% effectively, which is good enough when most of them are arts & crafts (er... arts and sciences) majors.
I personally don't even run Antivirus software, except for installing it on occasion just to make sure i haven't goofed and gotten a virus. I control my computer and i don't get viruses. And i run windows, with outlook, scripting enabled and everything. I'm just not an idiot.
So remember. Don't blame the software. Anytime a virus is introduced, its ultimately ALWAYS the users fault.