Data Security | Features

Fighting Viruses from Outside the Network

• By Dian Schaffhauser
• 06/08/10

A persistent virus is what drove George Thornton to look for a different solution. No, not the type of virus that sends school administrators running to their emergency alert systems to warn parents about an H1N1 outbreak, but the other kind--the ones that show up on computers and drag down network operations.

Around Christmas 2009 the network operations manager and his IT team at the Montgomery Independent School District in Texas (about 60 miles north of Houston) noticed a dramatic slowdown in login times. "Our utilizations on [primary domain controllers and backup domain controllers] went way up. They'd be working three to four times harder than they had been a month before," recalled Thornton. Analysis of the event logs showed that malware was attempting a brute-force attack using automatically generated log-in credentials against the district's Windows 2003 and 2008 servers.

What troubled Thornton was that the anti-virus software in place wasn't seeing the problem. That's when the district decided to look at its other options for anti-virus protection.

Attacks from Outside--in More Than One Way
This wasn't the first time IT had to deal with viruses. The district has 7,000 students in eight schools and about 3,000 terminals--2,000 traditional PCs running Windows XP and 1,000 thin clients running Citrix XenDesktop from servers. In the time that Thornton has worked for the district, that population of PCs has only grown, as have other technologies, such as student home drives for saving homework to.

Although Thornton said remote access to terminal services may be provided to students in the future, thereby allowing them to access that private storage area from home, it doesn't exist yet. That means students are dependent on the use of some other media to shuttle files back and forth between home and school--such as a CD or flash drive.

Likewise, he said, teachers also bring in media from home to school. "We find that a lot of our trouble came from teachers trying to shortcut work or students doing the same." In fact, he added, that's where the virus problems usually originate--including, Thornton said he suspects, the login attacks. "Eighty [percent] to 90 percent of the problems we get on end-user devices are brought in from outside," he said. "I'm not talking about Internet access, but physically brought in."

Some virus checkers, including the software already in place, ask the user if he or she wants the device checked for a virus. "If they're in a hurry, they're going to say no," Thornton observed. "We don't want the user to make that decision. I would consider a good security agent to be one that takes a lot of choices away from the end user when it comes to security checks."

Other Anti-Virus Options
A major customer of Microsoft products, Montgomery ISD was persuaded by that vendor to move into Forefront, Microsoft's set of business security programs. But testing showed it not to be a good match for the district.

Next, the network team called on solution integrator Logical Front, which advised the district on its server and desktop virtualization efforts, to find out what the company would recommend as an alternative. Said Thornton, "Their first reply was, 'Have you looked at Kaspersky?'"

To run a demo, Thornton's team set up "a standard Windows 2008 virtual box" running Kaspersky Lab Anti-Virus and with a few client machines attached. Three areas in particular interested them. One was the software's ability to remove evidence of its previous solution. Previous uninstalls had left detritus behind, files that would conflict with anti-virus upgrades. That would be a major problem for any kind of automated rollout of a new solution. Another area of interest was Kaspersky's ability to detect the existing virus. The third was its user control. Could IT configure the software to ensure that scan of flash drives and other media took place whether or not the user wanted it to happen?

The demo was impressive, according to Thornton. "All of a sudden we didn't have the login problems anymore. Our anonymous 'friend' wasn't attempting to log in against this machine. But it was still on all the other machines...." So that took care of the second area of interest.

Also, Kaspersky allows the network administrator to set policies to prevent users from bypassing an important step in security, such as allowing a scan on external media. That addressed the third area of interest.

It was that first area, however, that really sold Thornton. When the district expressed a desire for a tool that would allow it to remove its old solution and install the new product at the same time, Kaspersky responded, "If we don't have a tool, we'll script it for you as a free service." "We were really impressed by that," he said

The tools that came with the product "mostly worked," he added. The district supplied the vendor with a list of lingering files that weren't being completely uninstalled during the new anti-virus installation process, and, as promised, Kaspersky provided a script that fixed the problem.

Now all that was left was negotiating on a license and performing deployment. Because the district had already paid for its ForeFront license with Microsoft, IT was loath to pay for another anti-virus solution over the same timeframe, an overlap of about half a year. Not a problem, the vendor replied. "Kaspersky came out and did a sweetheart deal with us where they helped us with the six months we were going to lose," Thornton said. "We only had to cover two years and a couple of months on the contract to make it a three-year agreement."

Cutting Anti-Virus Administration to Minutes
Once the agreement was signed, IT used Group Policies in Windows Server to do the full deployment of the new anti-virus software in February and March 2010. That, said Thornton, took care of remote installation on 97 percent to 98 percent of the machines. Those numbers made it a "successful rollout." The rest, he explained were either laptops that rarely get hooked to the network or PCs sitting in closets that show up from time to time.

That rollout took about a week and a half. Now the district is into its third month of usage, and the benefits are already stacking up. "Obviously, the server viruses are now gone," Thornton said. "Also, it has actually sped up the log-in process for end users because we don't have that virus in the background trying to brute force attack log-in servers."

The new program has also simplified the management of client machines. Whereas the previous application had a couple of consoles, Kaspersky's administration controls are centralized. On top of that, said Thornton, "You can do everything in e-mail. You don't have to be in the console. Kaspersky will send notifications; you click on the links; and it'll take you were you need to go to fix that problem."

Now anti-virus administration--a job that used to take a day or two every week--consumes only a couple of minutes a week. "That's kind of nice. When I go back and look at what we had to do to fix viruses in the past, it's a lifesaver," the Texan concluded. "Kaspersky has lot more tools in place that take into account what a virus can do to an end user device. Maybe it's not the silver bullet, but it's a pretty good dang one."