University IT Departments and Viruses?

buggedByViruses asks: "I work for a University IT department, which I would prefer to keep anonymous. We are in the process of making a major decision in dealing with the onset of a large amount of viruses which may or may not have the possibility of causing a lot of damage to student's and university machines. The only solution we came up with is to get the students to download and install the university site licensed copy of Norton Anti-Virus managed by a Norton server which allows us to automatically keep the students machines updated properly with the latest virus definitions and be able to perform a mass scanning for viruses if we felt the need." I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well. Norton Anti-Virus is all fine and good in a business environment where homogeny is expected, but is this expectation true of many college networks?

"[It should be noted that] the Norton server allows you to view the entire directory structure of someone's machine and allows you to see the files it is scanning as if it were your own machine. We realize this was designed more for companies and businesses, but we have found that viruses have become a major problem and give us a huge headache when we try to support all the students connected to the university network.

My question is what do other university IT departments do in response to the increase in viruses over the past 2 years. I know there are a lot of university IT employees in the Slashdot community and I look forward to getting some feedback as to how they go about doing this without causing too many privacy problems. The way we are looking at it, and we are very privacy concerned and wouldn't do anything malicious with it, is that the students are using our network under our regulations and as long as we don't use the software to 'check up on' the contents of someone's hard drive (except obviously for viruses), then what we are doing is completely legit.

Any feedback would be greatly appreciated."

Anti Virus Solution

I work with the mail systems for a major ISP, and 6 months ago I installed TrendMicro's VirusWall for our Business System. I have two Compaq DL 360's running RedHat 6.2 scanning inbound and outbound emails for our largest customer, 20,000 mail accounts. And I must say it works great! Anna was stopped dead in it's tracks-- which is more than I can say for our Corporate servers, which they had to shutdown. To date, I haven't had any problems and/or issues. And I don't have any manintenane concerns at all (stopping and starting services, checking memory, high loads, and the oh so critical updating of virus patterns,etc.). Trend has solutions for Web, FTP, and Sendmail. You might want to look into it. It's one system I'm happy to SA for.

Outlook!

[Ed+Avis]

Just remove Outlook from all the machines. That's what will happen soon at my university.

Not a 100% cure but it will eliminate most of the worms going around.

Re:Outlook!

[Antipop]

But.. but... but... Daddy Bill says it's part of the operating system!

-antipop

Oh, please

[hatless]

I'm not crazy about viruses spread via Outlook and the rest of MS office either, but between desktop antivirus software with forced updates and antivirus software on the mail servers and, heck, the school's net gateways would trap damn near everything. The little that makes it in via, say, encrypted e-mail on CompSci students' machines, wouldn't get too far as long as students and staff didn't tamper with their desktops' software.

As for "cross-platform", what's missing? The antivirus scanners on the net gateways would trap any worms targeting your Linux box, as long as you aren't receiving it via an encrypted protocol. Windows antivirus software--especially the server stuff--carries pattern files covering not just the zillions of Windows viruses and such, but also the far fewer Mac ones and the dozen or so Unix/Linux ones. And the two targeting PalmOS.

If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network. Do transfers with floppies and Zip disks. It's not your network, and you have no "rights" with regard to it.

Re:Who are these people that run viruses?

[Christopher+Thomas]

One of the most overhyped issues of IT today is virii. I have downloaded countless programs from the internet and only once had a virus install.

Until we installed a virus checker at my old workplace, we were inundated with macroviruses in Word documents - many of them from our clients (large, hopefully professional companies who shall remain nameless).

We were lucky. All these tended to corrupt were new documents we were writing. This person may not be so lucky.

Also, we all know that half of the students will be installing their own entertainment applications. It's not beyond reason to think that one may pick up a bug. Heck, if it's anything like my undergrad days, the students will have already be storing pirated games in secret locations, possibly with the help of moles in the sysadmin office.

Word macro viruses would be my main worry, though. These are _endemic_ to all Windows environments I've run across that exchange documents with the outside world.

Methods I've seen.

[Christopher+Thomas]

I'm assuming that your first priority is protecting machines administered by the university. Students' personal machines are probably beyond the coverage of university site licenses, and 90% or more of the students will either ignore administrative requests, or spend 5 minutes trying to figure out how to follow them and then give up.

For the Windows network, my best suggestion would be a combination of virus scanning and regular, automated reinstall.

Put virus scanners on all of the machines, as part of their standard installation. If it's Nav, tell it to check incoming file attachments and documents - this is very, very helpful (my old workplace had a problem with macro viruses). You can probably get away with telling it to scan only local drives.

Put another virus scanner on a machine with direct access to all directories on the fileserver. It'll do your sweep of the network drives. You can either create a special NT profile for it that gives it access to all drives, or (failing that) you can run it on the fileserver itself at 4am Sunday morning (not Monday morning, because students will pull all-nighters on Sunday to finish projects due on Monday - I've TAd courses where they regularly did this).

Next, set up the user machines with one of the third-party bootstraps that compares all system files to copies on the network server, removes anything that shouldn't be there, and fixes anything that's changed. This is the only way I know of to really bulletproof Windows, and as far as I can tell, it does work. The version installed on the PCs at my university also wiped the local drives and did a full reinstall weekly. Either tell the users to power off the PCs at the end of the day, or send an admin around to do it at the end of every week.

Needless to say, you should enable boot virus protection in the BIOS. While you're there, you should also force booting from the hard drive first and then password the BIOS, to prevent student shennanigans. This is standard practice at most shared PC installations I've seen.

Re. Macs, you're on your own. This is outside of my experience.

Re. Linux, *BSD, Solaris, etc, you probably don't have much to worry about to the first order. The vast majority of viruses run under Windows. Anything malignant in the user's files should be caught by the sweep of the fileserver. I don't really see what could go wrong in an environment like this, given that the user doesn't have root access.

To make *sure* the user doesn't have root access, set the machine to boot off of the hard drive first and lock down the BIOS, for any *nix-on-PC machines. If you're paranoid, set up a cron job to refresh the machine's configuration from a CVS server nightly or weekly, just in case something goes strange or is tampered with.

If you're really feeling paranoid about *nix terminals, make them all netboot off of the file server, with the local hard drive just being swap space. Keep a close eye on the server's configuration, and you should be fine.

In summary, with a bit of planning, you should be fine under most conditions. Virus-hardening merges naturally with hardening against bit-rot and active attacks by the users.

Oxford University

[Gerv]

Er... why are you asking Slashdot rather than some, er, University IT Departments?

Here at Oxford, things are very decentralised. We have a crack team at the Computing Services (and our own version of CERT, OxCERT) who put emergency blocks on incoming mail if an email virus is doing the rounds (e.g. Kournikova) and manage the firewall between us and JANET, where some well-known and dangerous ports are firewalled out.
However, although we may have a site license for something (Sophos, I think) no-one's forced to use it. People are responsible for their own machines.
Why not just have a policy: "if your machine gets trashed by a virus and you didn't have this installed, we won't help you fix it." but not make it compulsory?

Gerv

Re:Oxford University

[4of12]

It sounds like you guys at Oxford have the right approach.

Pardon me for possibly espousing an anachronistic viewpoint, but aren't universities places where students (you know, tomorrow's leaders) should learn both

• depths of knowledge
• depths of responsibility

eh?

To that end, I think it's great if you make available software tools for students to check their machines, and it's great if you care enough to support an expert IT staff on site that keeps up on the latest technology, runs vulnerability scans, consults with users, etc.

Ultimately, however, you should expect the students to exercise some willingness to educate themselves as to the nature of the dangers of their computer (mis-)use, both about the technologies and about the responsibilities that are incumbent on them.

In a nutshell:

1. do provide a supportive environment (software, expert personnel, etc.), including a statement of dangers and an expectation that users will be responsible,
2. don't mandate specific behaviors,
3. do be prepared to use axes on network access to educate users about the consequences of not learning the lessons well enough.

If our future leaders are spoon-fed with an iron-fist, then I shudder to think of the world we'll live in two decades from now.

email filtering

[Wazm]

For university networks, the biggest problem are obviously pesky email viruses. The best solution I've seen is to have the university mail servers filter out all executable or .vbs email attachments. Nortan antivirus is a perk, but I don't think it should be required on everyone's system. (For obvious reasons.)

Responsibility...

[ffatTony]

I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well.

Why is it the job of the University to ensure student machines are virus free? I completely understand using something like this for Department machines, Computer Labs, etc, but a machine in a dorm room is not the property of the school and should not be treated as such. Viruses are part of the computer experience and students should take charge themselves.

Re:Safe Hex

[Greyfox]

Ok, yes, this is funny, but there's a very big grain of truth in here too. Education is the biggest thing you can do to prevent virusses. Scanners promote a false sense of security, as do supposedly "Secure" operating systems and other security products. If a user thinks that all the security stuff has been dealt with so he doesn't have to worry about it, he's going to persist in risky behavior. And as we all know, the user is the weakest link.

Seeing as how most colleges now mandate that all incoming freshmen must have a computer, the most sensible thing to do would be to mandate a computer security principles course in the first semester. Topics covered should include virusses and how they spread, E-mail hoaxes, physical security and protecting university assets, and miscellaneous other. It would have helped a lot even back when I was in college and the big security breach was the VM Christmas Card program.

You shouldn't stop with education either. Plan on having your lab systems hit because they will be, and have a good backup policy in place. Set them up so you can just ghost or DD a hard drive image off the network. Have your E-Mail servers eat attachments that come from outside campus. Have your servers run in an environment of paranoia. Keep logs on a write-only file system (An old line printer is often enough.) Make security a policy rather than an end-goal and your systems will remain secure enough while also remaining usable.

Safe Hex

[Greyfox]

As long as you practise safe hex, you won't get a virus. The most important thing is to put the little plastic thing on your floppy disk. As long as you floppy disk has a plastic thing on it, you won't get a virus.

Another vital part of Safe Hex is education. Now I know this is a controvertial subject among a lot of people (They should learn to do it on their own! They deserve to get a virus if they're doing immoral things like downloading warez or live goat porn!) but if you actually EDUCATE people about what's safe and what's not, you'll see a massive drop in the number of HTDs (Hexidecimally Transmitted Diseases) on your campus.

Breakage Account: Responsibility AND Consequences

[martyb]

Back in the day when I was in college (mainframes and dumb terminals), it was required for each student to fund a breakage account. The funds in the account would be refunded to the student upon graduation (transfer, leaving, etc.) MINUS any damages caused by the students (holes in the dorm room walls, broken windows, etc.) In other words, students were held financially accountable for their actions. In effect, there was something like self-insurance by each student for damages they might cause.

What if a similar approach were taken with student (and faculty) systems? (The following is off the top of my head and likely has some holes in it, but I would hope it would provide a starting point; add or adjust as you see fit.)

• Make the anti-virus software readily available.
• Install filters on the campus e-mail servers.
• Require each student to fund their "computer breakage" account with, say, $US400.
• If a virus is traced to a student AND the student was using current virus filters, then NO funds would be deducted from their account.
• If the student was NOT using a current filter, deduct, say $US50 per incident (e-mail? event?) from their breakage account.
• A student breakage account must not drop below, say, half of the original amount -- additional funds must be provided for the student to "continue their studies" (I'm waving hands a bit here, but whatever physical breakage account policy they have would probably have a similar requirement.)
• Invest the computer breakage funds in an interest-bearing account.
• Use the interest income to pay for tech support.
• Maybe even hire tech-savvy students with an interest in computer security to help with implementation and tech support -- student aid to help with their college expenses and valuable hands-on job skills.
• Recognize some students will be computer illiterate and offer, free, tech support to set up and verify virus filters. (Once of prevention / pound of cure.)
• Keep a log of when each system had its virus definitions updated. (Hmm, track the MAC address? Not sure how to identify systems.)
• Faculty whose systems have a virus that infect other systems would lose some part of their funding. (What is good for the goose is good for the gander.)
• Open ports -- not sure about this -- maybe perform periodic port scans for vulnerabilities? But then how do you report, update, etc.?
• Allow the use of leftover funds at graduation for "Senior Week" activities -- students have a last hurrah with classmates at no out-of-pocket expense. (I know MY senior week was well worth it!)

Ultimately, nothing is bulletproof, but make the protection readily and easily available, and impose penalties (sticks) on those who choose to not make use of them and provide benefits (carrots) for those who DO use the protection. Some viruses may get through, but the ones you DO catch are that much less to worry about.

Okay, now I'm going to step back and let the /.'ers blow holes in this. :)

At VaTech...

[pjdepasq]

Here at Virginia Tech, everyone (faculty, staff, students) has access to downloading Norton AntiVirus. Apparently, the school signed a license with Norton to make quite a few version available for free for both the PC and the MAC.

It's nice to see the school do this as a "perk" for us, and to help everyone stop the spreak of viruses.

antivirus.vt.edu

Campus Help Centers

[xenocide2]

At Kansas State we're fairly wired, with the residence hall Ethernet and the developing wireless deployment for laptops. I think the largest help in fighting virii is to get people to stop using Outlook, since most virii are .vbs. The best way to do that is not to outlaw outlook, but to provide a better solution than Outlook.

Considering that most school communications now rely on email and other electronic means, I think our department is doing an outstanding job. We have a help center too. A good friend of mine says the largest portion of issues they get is how to use MS productivity tools, although I'd bet they got quite a bit of calls when the IRC server (which USED to be connected to DALnet) got DDoS'd. If you really want to get people to fight virii, forcing them won't help. Just put out some Press Release type emails about how you want to help, and write up some guidelines, instructions on how to forward mail, etc. Rather than force people to use Norton and "sanctioned hardware" , maybe get a site liscence and encourage people to download it. If your server allows it, write a tutorial on how to filter email, especially things that have .vbs or .exe attachments. Instead of telling people what not to do, help them do things on their own.