University IT Departments and Viruses?

buggedByViruses asks: "I work for a University IT department, which I would prefer to keep anonymous. We are in the process of making a major decision in dealing with the onset of a large amount of viruses which may or may not have the possibility of causing a lot of damage to student's and university machines. The only solution we came up with is to get the students to download and install the university site licensed copy of Norton Anti-Virus managed by a Norton server which allows us to automatically keep the students machines updated properly with the latest virus definitions and be able to perform a mass scanning for viruses if we felt the need." I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well. Norton Anti-Virus is all fine and good in a business environment where homogeny is expected, but is this expectation true of many college networks?

"[It should be noted that] the Norton server allows you to view the entire directory structure of someone's machine and allows you to see the files it is scanning as if it were your own machine. We realize this was designed more for companies and businesses, but we have found that viruses have become a major problem and give us a huge headache when we try to support all the students connected to the university network.

My question is what do other university IT departments do in response to the increase in viruses over the past 2 years. I know there are a lot of university IT employees in the Slashdot community and I look forward to getting some feedback as to how they go about doing this without causing too many privacy problems. The way we are looking at it, and we are very privacy concerned and wouldn't do anything malicious with it, is that the students are using our network under our regulations and as long as we don't use the software to 'check up on' the contents of someone's hard drive (except obviously for viruses), then what we are doing is completely legit.

Any feedback would be greatly appreciated."

Anti Virus Solution

I work with the mail systems for a major ISP, and 6 months ago I installed TrendMicro's VirusWall for our Business System. I have two Compaq DL 360's running RedHat 6.2 scanning inbound and outbound emails for our largest customer, 20,000 mail accounts. And I must say it works great! Anna was stopped dead in it's tracks-- which is more than I can say for our Corporate servers, which they had to shutdown. To date, I haven't had any problems and/or issues. And I don't have any manintenane concerns at all (stopping and starting services, checking memory, high loads, and the oh so critical updating of virus patterns,etc.). Trend has solutions for Web, FTP, and Sendmail. You might want to look into it. It's one system I'm happy to SA for.

Methods I've seen.

[Christopher+Thomas]

I'm assuming that your first priority is protecting machines administered by the university. Students' personal machines are probably beyond the coverage of university site licenses, and 90% or more of the students will either ignore administrative requests, or spend 5 minutes trying to figure out how to follow them and then give up.

For the Windows network, my best suggestion would be a combination of virus scanning and regular, automated reinstall.

Put virus scanners on all of the machines, as part of their standard installation. If it's Nav, tell it to check incoming file attachments and documents - this is very, very helpful (my old workplace had a problem with macro viruses). You can probably get away with telling it to scan only local drives.

Put another virus scanner on a machine with direct access to all directories on the fileserver. It'll do your sweep of the network drives. You can either create a special NT profile for it that gives it access to all drives, or (failing that) you can run it on the fileserver itself at 4am Sunday morning (not Monday morning, because students will pull all-nighters on Sunday to finish projects due on Monday - I've TAd courses where they regularly did this).

Next, set up the user machines with one of the third-party bootstraps that compares all system files to copies on the network server, removes anything that shouldn't be there, and fixes anything that's changed. This is the only way I know of to really bulletproof Windows, and as far as I can tell, it does work. The version installed on the PCs at my university also wiped the local drives and did a full reinstall weekly. Either tell the users to power off the PCs at the end of the day, or send an admin around to do it at the end of every week.

Needless to say, you should enable boot virus protection in the BIOS. While you're there, you should also force booting from the hard drive first and then password the BIOS, to prevent student shennanigans. This is standard practice at most shared PC installations I've seen.

Re. Macs, you're on your own. This is outside of my experience.

Re. Linux, *BSD, Solaris, etc, you probably don't have much to worry about to the first order. The vast majority of viruses run under Windows. Anything malignant in the user's files should be caught by the sweep of the fileserver. I don't really see what could go wrong in an environment like this, given that the user doesn't have root access.

To make *sure* the user doesn't have root access, set the machine to boot off of the hard drive first and lock down the BIOS, for any *nix-on-PC machines. If you're paranoid, set up a cron job to refresh the machine's configuration from a CVS server nightly or weekly, just in case something goes strange or is tampered with.

If you're really feeling paranoid about *nix terminals, make them all netboot off of the file server, with the local hard drive just being swap space. Keep a close eye on the server's configuration, and you should be fine.

In summary, with a bit of planning, you should be fine under most conditions. Virus-hardening merges naturally with hardening against bit-rot and active attacks by the users.

Oxford University

[Gerv]

Er... why are you asking Slashdot rather than some, er, University IT Departments?

Here at Oxford, things are very decentralised. We have a crack team at the Computing Services (and our own version of CERT, OxCERT) who put emergency blocks on incoming mail if an email virus is doing the rounds (e.g. Kournikova) and manage the firewall between us and JANET, where some well-known and dangerous ports are firewalled out.
However, although we may have a site license for something (Sophos, I think) no-one's forced to use it. People are responsible for their own machines.
Why not just have a policy: "if your machine gets trashed by a virus and you didn't have this installed, we won't help you fix it." but not make it compulsory?

Gerv

email filtering

[Wazm]

For university networks, the biggest problem are obviously pesky email viruses. The best solution I've seen is to have the university mail servers filter out all executable or .vbs email attachments. Nortan antivirus is a perk, but I don't think it should be required on everyone's system. (For obvious reasons.)

Safe Hex

[Greyfox]

As long as you practise safe hex, you won't get a virus. The most important thing is to put the little plastic thing on your floppy disk. As long as you floppy disk has a plastic thing on it, you won't get a virus.

Another vital part of Safe Hex is education. Now I know this is a controvertial subject among a lot of people (They should learn to do it on their own! They deserve to get a virus if they're doing immoral things like downloading warez or live goat porn!) but if you actually EDUCATE people about what's safe and what's not, you'll see a massive drop in the number of HTDs (Hexidecimally Transmitted Diseases) on your campus.