/
Anti-Virus Policies for Workstations and Laptops

Anti-Virus Policies for Workstations and Laptops

Owned by Dennis H. Wiedeman
Last updated: Mar 02, 2011Version comment

The policies that are established for workstations and laptops fall into two main categories:

  1. Anti-Virus Scan Time Policies -- You can determine what time and what actually gets scanned when you choose the Full Anti-Virus Management model.  At this time, workstations and laptops can be scanned every day, 7 days a week, 365 days a year at any of the following times (assuming the system is left at the time the anti-virus scan is initiated.  It's not that other times aren't available.  It's just no requests have been made for anti-virus scanning at any other times than the ones listed below:
    • 2:00 AM
    • 5:00 AM
    • 12:00 PM (noon)
    • 12:00 PM and 7:00PM
    • 4:00 PM
    • 6:00 PM
    • 7:00 PM
    • 8:00 PM
    • 10:00 PM
    • 11:00 PM
  2. Anti-Virus and Host Intrusion Prevention System Policies Components -- These characteristics for the Sophos product help to form the "policy" by which the anti-virus scanning, management and remediation take place.  By adjusting these components for groups of computers or servers, variations in how the product performs for that particular group can be achieved.  For example, you might want "On-access scanning" for workstations and laptops, but you wouldn't want it for servers as it may dramatically reduce the performance of a server.
    • Authorization -- Authorization or denial of applications to run on a system are based upon a number of criteria
    • Messaging -- Messages to the user can be set to go out (or not) through email. 
      • Desktop Messaging -- In order to minimize the need for user to get involved, desktop messaging has been turned off
      • Email Alerting -- This has been enabled, so Desktop Support personnel and Sophos Administrators can be notified of virus problems early in the detection process
      • SNMP Messaging -- Not in use at this time
      • Event Log -- We make extensive use of virus event logs so that follow-up can occur as to what happens during a virus outbreak on campus
    • Sophos Live Protection -- "Live Protection" provides the most up-to-date threat protection through an online lookup service at Sophos.com in real time. We have this enabled and automatically send sample files to Sophos for further forensic analysis.
    • Suspicious Behavior (HIPS) -- The "Host Intrusion Proection System" is setup on the Enterprise Console to detect suspicious behavior and buffer overflows.  There is an option for "Alert Only", but this has been turned off, so the system will remediate problems with suspicious files.
    • On-Access Scanning -- On-access scanning is at the heart of what we do to protect computers on campus. 
      • Scanning -- What to scan
        • Check Files Upon . . .  -- The anti-virus system has been set up to check files whenever a user "reads" a file.  We have options to also check them when they write or rename a file, but these are not turned on, currently.
        • Scan For -- The set-up currently provides for Adware and PUAs (Possible Undesirable Applications) and Suspicious Files.  We don't currently scan for Macintosh viruses, as this service currently is only deployed to IBM type PCs on campus.
        • Other Scanning Options -- There are options to allo access to drives with intecte boot sectors and to scan (or not scan) inside archive files (which is not recommended due to its high toll on performance).
      • Extensions -- Files with specific extensions to scan or not scan (e.g. .exe, .pdf, etc.).  We choose not to scan all files for performance reasons, but we do choose to scan files with no extnetions and other executable and/or vulnerable file types
      • Exclusions -- We can choose to select specific file types, application type files (like Thunderbird files), specific files or drive and folder designations.  For obvious reasons, we also choose not to scan remote files.
      • Mac Exclusions -- We can choose the same specific types of exclusions provided to Windows files for Macs
      • Linux/Unix Exclusions -- If we scan Linux/Unix systems, we can choose the same specific types of exclusions provided to Windows files and Mac files
      • Clean-Up -- We can choose what to do (or not do) automatically when viruses, suspicious files, spyware and other malware are found on a system.  Currently, we automatically clean up these items by deleting all viruses and spyware and denying access to suspicous files by moving them to a safe location on the hard drive.
    • Web Protection -- When users inadvertently or intentionally attempt to go to specific websites, we choose to block access to any malicious websites and provide on-access scanning in a similar fashion on content downloaded from a website
    • Scanning Schedule -- The Scanning Schedule allows us to choose what to scan (and not to scan), and schedule the scan to occur on specific days and at specific times
    • Extensions and Exclusions -- Just like "On-Acces Scanning", scheduled scans can be set to exclude or include specific file extensions and types